Netlab researchers discover IoT botnets HEH and Ttint

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

Security researchers from Netlab have discovered two new IoT botnets called HEH and Ttint.

Netlab is the network research division of Chinese cybersecurity giant Qihoo 360. The company’s researchers first spotted the Ttint botnet targeting Tenda routers using two zero-day vulnerabilities.

Ttint spreads a remote control trojan based on code from the Mirai malware.

Mirai caused widespread chaos in 2016 when it hit DNS provider Dyn and impacted popular services including PayPal, Spotify, PlayStation Network, Xbox Live, Reddit, Amazon, GitHub, and many others.

Netlab notes that while Mirai focuses on DDoS attacks – like the one launched against Dyn – Ttint is more complex.

In addition to DDoS attacks, Ttint enables 12 remote control functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, and executing custom system commands.

The botnet also circumvents Mirai detection by using the WebSocket-over-TLS protocol at the C2 communication level and protects itself by using many infrastructure IPs which move around.

As of writing, the two zero-day vulnerabilities Ttint exploits remain unpatched.

Netlab has since discovered another IoT botnet. This one is peer-to-peer and the researchers have named it HEH.

HEH is written in the Go language and Netlab says it uses a proprietary P2P protocol. It spreads using a Telnet brute-force on ports 23/2323 and affects many CPU architectures including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PPC.

The botnet consists of three modules: a propagation module, local HTTP service module, and P2P module.

There are nine commands in HEH, but at least three are not yet implemented as the bot is clearly still in development:

At present, HEH’s most useful available functions are to execute Shell commands, update peer list, and to download a specific file to be used as HTTP response data by the local HTTP server.

Ominously, the Attack function is currently empty⁠—but it’s unlikely to stay that way.

Both of the botnets show the increasing desire of hackers to compromise IoT devices. It’s of little surprise the IoT has become such a target, given the rapid proliferation of connected devices and their often weak security.

(Photo by Markus Winkler on Unsplash)

Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Tags: , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *