Torii Botnet Can Be Used to Exfiltrate Personal Data, Researchers Say

A botnet is a network of computers/systems that are infected with the same kind of malware to perform cyber attacks on a large scale. Torii Botnet is one of the newest botnets to be uncovered, but it is believed to have been active for at least a year now. Most botnets are utilized for mass spam email attacks that could, for example, be used to spread ransomware or expose users to phishing scams. They can also be used for DDoS (distributed denial-of-service) attacks that are primarily meant to disrupt regular traffic to a server or network. Botnets can also be used for cryptocurrency mining. Torii, however, has not been found to act in such a manner, although it certainly has the potential to. At the moment, it looks like the biggest threat that could come out of this whole thing is that massive amounts of personal data could be exfiltrated. The definition of this term is that data can be copied and transferred illegally, without the permission of that data’s owner. Without a doubt, that is something you want to protect yourself against.

Torii Botnet is unlike other botnets that have been observed by malware researchers, and it has certainly surprised them. So, what’s so special about this botnet? Virtually, it could be used to execute any command, which makes it extremely dangerous and versatile. Depending on who uses it – and it is possible that many cyber attackers could utilize it for their own gain – it could be used in all kinds of ways. That makes it extremely difficult to analyze and remove Torii botnet malware. From what we know now – thanks to Vesselin Bontchev, the first researcher to unveil the botnet on Twitter – this malware is spread using the Telnet protocol. That means that attackers can use remote access to your system to help malware infiltrate. This, of course, is done without your permission, silently. According to researchers, Torii malware can infect an impressive range of systems, including x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, and PPC. If your device is running a system with this architecture, you might be at risk.

Of course, if your system/device is strong and protected, it is unlikely to be added to the Torii botnet. On the other hand, if it runs outdated software – or if the operating system itself is outdated – and the login (username and password) can be brute-forced, malware can be dropped and executed in no time. First, malicious payload is downloaded with the ELF (Executable and Linkable format) file format. The executed payload then downloads another one (also ELF) and then executes it. To ensure that malware persists, the original dropper uses multiple methods, which include automatic execution via injected code into ~\.bashrc, via “@reboot” clause in crontab, via /etc/init and PATH, via modification of the SELinux Policy Management, via /etc/inittab, and as a “System Daemon” service via system. Once the second payload is executed, it can execute commands retrieved from a C&C server. A few servers Torii has been found connecting to include,, and

When Torii exfiltrates data (e.g., hostname, operating system’s version, process ID, or the location of the second payload), it uses AES-128 encryption to conceal it. Information that the infected computer sends to the botnet’s server about command execution is encrypted too. This adds to the sophistication and complexity of the botnet that is being built as you read this. Yes, the botnet is growing further. Needless to say, there is still a lot to learn about Torii and the malware that infects targeted systems, but it is already pretty obvious that it must be taken seriously because it can leak extremely sensitive data.

The execution of malware payload and the communication between the infected system and the botnet’s server is complex, and it appears that the actors behind the botnet have all the power to exploit it for anything they could ever want. This is why securing all systems and devices against malware linked to the Torii botnet is extremely important. What can you do? First and foremost, you want to secure Telnet devices and all other remote-access channels. Set up strong login credentials. Next, you want to make sure you install all updates. Remember that no updates equals plenty of vulnerabilities. Finally, you want to secure your system using reliable anti-malware software.

Leave a Comment

Enter the numbers in the box to the right *