Lorikazz Botnet: How Android TV & STB Hijacking Leverages Tor onion C2 and ENS for Proxyware Operations – A Deep Dive into IoT Malware Evolution + Video

By /

Listen to this Post

Featured Image

Introduction:

The convergence of IoT botnets with privacy-centric technologies like Tor and blockchain-based naming systems marks a dangerous evolution in malware tactics. The newly discovered Lorikazz botnet specifically targets Android TV and set-top boxes (STBs), disguising ELF payloads as system libraries while using Tor .onion domains for command-and-control (C2) and Ethereum Name Service (ENS) for resilient domain resolution. This article dissects the technical architecture of Lorikazz, provides hands-on detection and analysis commands, and outlines mitigation strategies for security professionals.

Learning Objectives:

  • Analyze how Lorikazz uses Tor hidden services and ENS to achieve stealthy, decentralized C2 communication.
  • Identify and extract malicious ELF payloads disguised as system libraries on Android TV/STB firmware.
  • Implement network-level and host-based detection techniques to block proxyware traffic and botnet beaconing.

You Should Know:

  1. Decoding Lorikazz C2 Infrastructure: Tor .onion + ENS Resolution

Lorikazz represents a shift from traditional IP-based botnets to hybrid anonymity networks. The botnet’s C2 server is reachable only via a Tor .onion address, which is resolved through a smart contract on the Ethereum blockchain using ENS (Ethereum Name Service). This makes takedown efforts nearly impossible because the .onion address can be updated on-chain without changing the malware binary.

Step-by-step guide to analyzing Tor-based C2 traffic from an infected device:

  1. Capture network traffic on the victim Android TV/STB (requires root or a mirrored port): 
    On a Linux gateway or using tcpdump on the device (if rooted)
tcpdump -i eth0 -s 0 -w lorikazz_capture.pcap

  2. Filter for Tor-related traffic – Look for TLS handshakes to known Tor directory authorities or unusual outbound connections on ports 9001, 9030, or 443 with Tor TLS fingerprints:

    tcpdump -r lorikazz_capture.pcap -nn 'tcp[((tcp[bash] & 0xf0) >> 2):1] = 0x16 and (tcp[((tcp[bash] & 0xf0) >> 2)+5:1] = 0x01)' | grep -E '9001|9030|443'

  3. Extract .onion addresses from memory dumps or network flows using a custom script. Example using `strings` on a suspected binary:

    strings /path/to/suspected_elf | grep -E '[a-z2-7]{16,56}.onion'

  4. Check ENS resolution – Monitor DNS requests for `.eth` domains (ENS uses `.eth` for human-readable names, which resolves to the .onion address). Use `dig` to inspect:

    dig +short TXT _ens.yourdomain.eth

Windows equivalent (using Sysinternals and PowerShell):

 Monitor outbound connections to non-standard ports
Get-NetTCPConnection | Where-Object {$<em>.RemotePort -in (9001,9030,443) -and $</em>.State -eq 'Established'}

Capture .onion strings from a process memory
.\procdump.exe -ma <PID> memory.dmp
strings memory.dmp | findstr /R "[a-z2-7][a-z2-7].onion"
  1. ELF Payloads Disguised as System Libraries: Extraction and Analysis

Lorikazz drops malicious ELF executables in `/system/lib/` or `/vendor/lib/` using names like libstagefright.so, libcrypto_hw.so, or `libnetd.so` – mimicking legitimate Android libraries. These payloads are statically linked to avoid external dependencies and contain packed proxyware modules (e.g., rotating residential proxies for click fraud or traffic relay).

Step-by-step guide to identifying and analyzing disguised ELF payloads:

  1. List all ELF files in system directories and compare against a known good hash database: 
    On a rooted Android device or extracted firmware
find /system/lib /vendor/lib -type f -name ".so" -exec file {} \; | grep ELF
Calculate SHA256 hashes
sha256sum /system/lib/libnetd.so /vendor/lib/libcrypto_hw.so

  2. Check for unusual section headers – Malicious ELFs often have stripped symbols or abnormal entry points:

    readelf -h /path/to/suspected.so
readelf -S /path/to/suspected.so | grep -E '.text|.data|.rodata'

  3. Extract strings to find proxyware configuration, hardcoded Tor bridges, or ENS endpoints:

    strings -n 8 /path/to/suspected.so | grep -E 'proxy|socks|tor|.onion|.eth|http://|https://'

  4. Analyze dynamic imports – Legitimate system libraries link to standard Android NDK symbols, while malicious ones may import unusual functions like ptrace, fork, kill:

    readelf -d /path/to/suspected.so | grep NEEDED
objdump -T /path/to/suspected.so | grep -E 'ptrace|kill|socket|connect'

  5. Run behavioral analysis in a sandbox (using QEMU user-mode emulation for ARM):

    On an x86 Linux host with ARM cross-tools
qemu-arm-static -L /path/to/android/rootfs /path/to/suspected.so
Monitor syscalls with strace
strace -f -o trace.log qemu-arm-static -L /path/to/android/rootfs /path/to/suspected.so

3. Proxyware Operations: How Lorikazz Monetizes Compromised STBs

Unlike traditional DDoS botnets, Lorikazz turns infected devices into proxy nodes (proxyware), selling bandwidth to residential proxy networks (e.g., Luminati, IPRoyal). This generates revenue without explicit user consent, degrading device performance and opening legal liabilities.

Step-by-step guide to detect proxyware traffic patterns:

  1. Monitor for excessive outbound HTTP/S requests on non-standard ports (8080, 3128, 1080, 9999). Use Zeek (Bro) or ntopng: 
    Zeek script to flag high-volume CONNECT methods
zeek -C -r capture.pcap proxy_detector.zeek

  2. Check for SOCKS5 handshakes – Malware often implements SOCKS5 for proxy rotation. Filter for `0x05 0x01 0x00` (SOCKS5 greeting) in payloads:

    tcpdump -r capture.pcap -X | grep -A2 -B2 "05 01 00"

  3. Linux iptables rule to block known proxyware user-agents (e.g., Mozilla/5.0 (compatible; Resiprocate)):

    iptables -A OUTPUT -m string --string "Resiprocate" --algo bm -j DROP
iptables -A OUTPUT -m string --string "IPRoyal" --algo bm -j DROP

  4. Windows PowerShell script to detect abnormal outbound connections:

    $connections = Get-NetTCPConnection | Where-Object {$<em>.RemotePort -in (8080,3128,1080,9999) -and $</em>.State -eq 'Established'}
foreach ($conn in $connections) {
$proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
Write-Host "Process: $($proc.Name) PID:$($conn.OwningProcess) Remote:$($conn.RemoteAddress):$($conn.RemotePort)"
}

4. Mitigation Strategies: Network Hardening and Firmware Integrity

Because Lorikazz resides in system partitions, factory resets may not remove it if the malware has persisted via firmware overwrites. Prevention and detection are critical.

Step-by-step guide to harden Android TV/STB against Lorikazz:

  1. Disable ADB debugging when not in use – Lorikazz often spreads via open ADB ports (5555). Check and close: 
    On device (if root)
setprop persist.adb.tcp.port -1
stop adbd
Block ADB at firewall
iptables -A INPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --sport 5555 -j DROP

  2. Implement eBPF-based monitoring for ELF execution from non-standard locations. Example using bpftrace:

    bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s executed %s\n", comm, str(args->filename)); }'

  3. Deploy YARA rules to detect Lorikazz payloads. Sample rule:

    rule Lorikazz_ELF_Indicator {
meta:
description = "Detects Lorikazz botnet ELF with Tor .onion strings"
strings:
$a = /[a-z2-7]{16}.onion/ wide ascii
$b = "ENS_RESOLVER" ascii
$c = "proxyware" ascii nocase
condition:
$a or ($b and $c)
}

  4. Block Tor exit nodes and directory authorities at the network perimeter (for enterprise environments). Download updated Tor node lists:

    wget -O tor_exits.txt https://check.torproject.org/torbulkexitlist
while read ip; do iptables -A FORWARD -s $ip -j DROP; done < tor_exits.txt

  5. Enable SELinux enforcing mode on Android TV (if supported) to prevent ELF payloads from executing in system contexts:

    setenforce 1
getenforce

  6. Incident Response: Extracting Indicators from a Compromised Device

When Lorikazz infection is suspected, forensic artifacts can be collected for threat intelligence sharing.

Step-by-step guide to collect IOCs:

  1. Extract the .onion C2 addresses from the process memory of the malicious process (e.g., `mediaserver` or netd): 
    Find PID of suspicious process
ps -A | grep -E 'mediaserver|netd|vold'
Dump memory and grep for .onion
dd if=/proc/<PID>/mem bs=1 skip=0 count=100M 2>/dev/null | strings | grep -E '[a-z2-7]{16}.onion'

  2. Capture network connection logs persistently using `netstat` cron job:

    (crontab -l 2>/dev/null; echo "     netstat -tupan >> /data/local/tmp/netstat.log") | crontab -

  3. Hash all ELF files in system partitions and upload to VirusTotal API (via Python script):

    import hashlib, requests, os
def hash_file(path):
with open(path, 'rb') as f:
return hashlib.sha256(f.read()).hexdigest()
for root, dirs, files in os.walk('/system/lib'):
for f in files:
if f.endswith('.so'):
sha256 = hash_file(os.path.join(root, f))
Send to VirusTotal (requires API key)
requests.post('https://www.virustotal.com/api/v3/files', headers={'x-apikey': 'YOUR_KEY'}, files={'file': (f, open(os.path.join(root, f), 'rb'))})

What Undercode Say:

  • Lorikazz demonstrates that malware authors are successfully weaponizing privacy tools (Tor, ENS) to achieve takedown-resistant C2. Defenders must shift from reactive IP/domain blocking to behavioral and cryptographic trust models.
  • Proxyware represents a silent monetization strategy that turns IoT devices into revenue generators without DDoS noise, making detection harder for traditional botnet hunters. Organizations should monitor for unusual outbound bandwidth usage and SOCKS/HTTP proxy handshakes, not just volumetric attacks.
  • The use of ENS and blockchain-based naming means that even if the .onion address is seized, the malware can resolve a new one via smart contract updates. Security teams need to integrate blockchain transaction monitoring (e.g., looking for ENS TXT record changes) into their threat intelligence pipelines.

Prediction:

The Lorikazz technique will likely inspire a new class of hybrid IoT botnets combining Tor, I2P, and blockchain naming to achieve near-immortal C2 infrastructures. Within 12–18 months, we expect to see similar malware targeting routers, IP cameras, and smart speakers, with proxyware expanding into bandwidth-intensive applications like video relay and cryptocurrency mining. Defenders will need to adopt runtime memory forensics, eBPF-based syscall monitoring, and collaborative threat intelligence sharing across ISPs to mitigate the long-tail impact of these resilient botnets. Without firmware signing enforcement and mandatory over-the-air updates for STBs, millions of devices will remain at risk.

▶️ Related Video (58% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Lorikazz Android – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: