{
	"id": "83905f7b-902e-409e-a8e6-80934cadd404",
	"created_at": "2026-04-06T01:30:47.35016Z",
	"updated_at": "2026-04-10T03:20:07.666825Z",
	"deleted_at": null,
	"sha1_hash": "f02b780c0e7f7543aa7fd32929580c8024386c9d",
	"title": "SBIDIOT IoT Malware: miner edition",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1694886,
	"plain_text": "SBIDIOT IoT Malware: miner edition\r\nBy Brian Stadnicki\r\nPublished: 2022-01-02 · Archived: 2026-04-06 00:58:49 UTC\r\nThe SBIDIOT IoT malware was observed earlier this year in april. Recently I spotted a sample with a cryptominer\r\nadded on, so let’s see what’s changed.\r\nThe botnet’s main use is for DDOS attacks on game servers.\r\nI took a look at one of the past versions of this malware:\r\n3e948a7995faac6975af3c8c937c66e6b5733cb69dab5d2b87ba4c22e23ef136\r\nIt appears that the author could be selfrepnetis , who’s instagram is likely @selfrepnetis and @selfrepnetis_.\r\nBased on the instagram, it appears that this botnet is likely being used for RebirthRebornV2 , RebirthVPN ,\r\nRebirthReboot1.5 , Rebirth Stress Hub . This seems consistent with the OVH bypass patches listed when\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 1 of 12\n\ngoogling the tag on Noirth.\r\nIt appears that SBIDIOT is related to DemonBot, whose source code is available on pastebin. It looks quite\r\nsimilar, it’s possible that SBIDIOT is based on DemonBot.\r\nThanks to URLhaus, I believe I have the majority of the versions of SBIDIOT, 20 of them. Most of these names\r\nare from the banner sent to the C\u0026C server, some are from a string.\r\n2020-05-20 - 2020-05-20 - Yakuza - URLhaus\r\n2020-05-20 - 2020-05-21 - Yakuza - URLhaus\r\n2020-05-26 - 2020-05-26 - HITECH - URLhaus\r\n2020-06-01 - 2020-06-23 - JEW - URLhaus\r\n2020-06-25 - 2020-07-01 - Yakuza - URLhaus\r\n2020-08-21 - 2020-09-27 - Kosha - URLhaus - telnet brute forcer for spreading, based on a leaked source\r\n2020-08-28 - 2020-08-30 - DGFA - URLhaus\r\n2020-09-10 - 2020-09-12 - Yakuza/Zeroshell - URLhaus - exploits cve-2018-10561 in Huawei home\r\nrouters and CVE-2014-8361 in a Realtek SDK\r\n2020-09-14 - 2020-09-16 - DFGA - URLhaus\r\n2020-10-14 - 2020-10-14 - Iris - URLhaus\r\n2020-10-16 - 2020-10-16 - Assassin II - URLhaus\r\n2020-11-19 - 2020-11-19 - Fuze - URLhaus\r\n2020-11-20 - 2020-11-20 - Fuze - URLhaus\r\n2020-11-23 - 2020-11-23 - DGFA - URLhaus\r\n2020-12-01 - 2020-12-01 - Yakuza - URLhaus - telnet brute forcer for spreading\r\n2020-12-02 - 2020-12-03 - Yakuza - URLhaus\r\n2020-12-04 - 2020-12-05 - RMT - URLhaus - clears bash history, logs, tmp, run. Removes netstat, kills\r\nbusybox, perl and python. Disables iptables and firewalld.\r\n2020-12-14 - 2020-12-28 - DGFA - URLhaus\r\n2021-12-03 - 2021-12-04 - Fuze - URLhaus\r\n2021-12-22 - 2021-12-22 - Fuze - URLhaus\r\nI’ll do an in-depth analysis of the latest version of the botnet, specifically\r\nfc0ce41c62734d55e257fcfdfb9118fddb5f0b49646a5731e779570b751ba2ee\r\nThe analysis starts at a shell script, which does the following:\r\nDownload a binary for the specific architecture from 20.106.163.35 , [arch].keen.onion.1337\r\nNames it SSH and runs\r\nDownloads a generic shell script from 20.106.163.35 and names it systemd\r\nRuns it with 37.187.95.110:443 and an unidentified address\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 2 of 12\n\n20.106.163.35 appears to be an Azure virtual machine, and 37.187.95.110 appears to be OVH instance.\r\nThe binary downloaded is named cnrig , then it’s renamed to systemd . It’s likely this is CNRig, which is a\r\n“Static CryptoNight CPU miner for Linux”.\r\nThe binary named [arch].keen.onion.1337 is the main malware binary that I’ll be analysing.\r\nAs with previous versions, this is packed with UPX and later modified.\r\nThe modification here is again, the same as previous versions, changing the UPX! signature for YTS\\x99 .\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 3 of 12\n\nOnce the instances of YTS\\x99 are replaced with UPX! , it can be unpacked.\r\nMain\r\nFirst of all, the seeds for the generation of garbage data for most packet attacks are generated.\r\nThen it attempts to connect to 8.8.8.8 to make sure there is internet access.\r\nIf there is internet, then it reads /proc/net/route up until \\t00000000\\t to get the name of the default\r\ngateway, and sets the socket to use that gateway.\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 4 of 12\n\nIt attempts to fork itself, where if the exit code is unsucessful then it exits.\r\nThe bot now sends a coloured banner to the command server, [Fuze] [ %s ] [ %s ] . The text, apart from the\r\nbrackets, is coloured red. The first %s contains the architecture, and the second contains the address of the\r\ncommand server.\r\nBecause of the command server address being sent and it being coloured, I believe that when the command server\r\nreceives this, it prints it directly to a console/logs for the owner to read.\r\nCommand parsing\r\nIt appears that first whitespace is trimmed from the start and end of the input command’s data.\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 5 of 12\n\nThe command word itself is at the start of the packet.\r\nThe number of arguments is determined.\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 6 of 12\n\nC\u0026C commands\r\nWhen SBIDIOT was released, there was originally 16 commands, now there are 41 commands:\r\nALPHA, HXTPA, R6, PUBG, FN, 2K, ARK, BO4, FUZE, OVHHEX, OVHRAW, CHOOPA, LAGOUT, HYDRASYN, NFOV6, HOTSPOT, UDPRA\r\nHowever, there are only 11 functions, many of these are different names for the same action.\r\nThe C\u0026C server’s address is still hardcoded, in this case at 54.37.79.0:666 , another OVH server.\r\nThe ALPHA command is used to send TCP segments to a specfic host and port for a set period of time.\r\nArguments:\r\naddress\r\nunidentified\r\ntime length\r\nunidentified\r\ntcp flags\r\npacket length (maybe)\r\nnumber of packets to send\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 7 of 12\n\nThe HXTPA command is used to send HTTP 1.1 PATCH requests to a specific hostname for a set period of time.\r\nThe useragent is picked randomly from a list.\r\nArguments:\r\nhostname\r\nport\r\ntime length\r\nnumber of packets\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 8 of 12\n\nThe GAME commands appear to be a group of commands related to games, all calling the same function, but with\r\ndifferent names.\r\nCommands: R6, PUBG, FN, 2K, ARK, BO4.\r\narguments:\r\naddress\r\nappears unused\r\nduration\r\nsocket type\r\ndata send seed\r\nnumber of packets to send\r\npause every number of packets\r\nduration of pause\r\nThis group of commands sends a byte to a host over a socket, connects and then waits for a set duration before\r\nclosing it.\r\nCommands: FUZE, OVHHEX, OVHRAW, CHOOPA, LAGOUT, HYDRASYN, NFOV6, HOTSPOT,\r\nUDPRAPE, CF-DOWN, OVHEXP, HYDRA, OVH-TCP, ARCADE, REVENGE, WIFI, FUCK, SHIT, KYS,\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 9 of 12\n\nSTOMP, CRUSH, RAW.\r\nThe byte sent over is randomly picked from /73x/6ax/x4a , and interestingly, the length of this data sent is\r\nrandomly picked between 1093 and 1193, with odds of 19:41.\r\narguments:\r\nhostname\r\nport\r\nduration\r\nThis simply sends packets to an address several times for a duration.\r\narguments:\r\naddress\r\nundetermined\r\nduration\r\npacket length\r\npacket count\r\nmagic value\r\nThis sends a packet to a host, connects and then waits before closing it.\r\nInterestingly, the packet payload is:\r\nPayload:\r\n 4E/x31/x6B/x4B/x31/x20/x21/x73/x69/x20/x4D/x33/x75/x79/x20/x4C/x30/x56/x72/x33/x20/x3C/x33/x20/x50/x61/x32/x\r\n N1kK1 !si M3uy L0Vr3 \u003c3 Pa2rCH M2 A44rCK\r\nMake of that what you will.\r\narguments:\r\nhostname\r\nport\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 10 of 12\n\nduration\r\npacket length\r\nThis sends packets to an address for a duration.\r\narguments:\r\naddress\r\npossibly packet type\r\nduration\r\nundetermined\r\npacket length\r\npacket count\r\nHTTPSTOMP sends a HTTP request to a specified host a set number of times and with a duration. The user agent\r\nis random, and the path is hardcoded bytes it seems.\r\nAfterwards, it sends requests to /cdn-cgi/l/chk_captcha , in order to try to bypass a cloudfare captcha.\r\nPayload: /x78/xA3/x69/x6A/x20/x44/x61/x6E/x6B/x65/x73/x74/x20/x53/x34/xB4/x42/x03/x23/x07/x82/x05/x84/xA4/xD2/x\r\narguments:\r\nhttp operation\r\naddress\r\nport\r\nunused\r\nduration\r\npacket count\r\nThis command sends packets to a host for a duration, pausing sometimes.\r\narguments:\r\nhostname\r\nundetermined\r\nduration\r\nundetermined\r\npacket length\r\npacket count\r\npause threshold\r\npause duration\r\nThese commands send some data to a host, then connects and disconnects after a set period of time.\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 11 of 12\n\nPayload: /x6f/x58/x22/x2e/x04/x92/x04/xa4/x42/x94/xb4/xf4/x44/xf4/x94/xd2/x04/xb4/xc4/xd2/x05/x84/xb4/xa4/xa6/x\r\nCommands: STD, CUH, OVH-TCP, ACID, HAMMED, HTTPS.\r\narguments:\r\nhostname\r\nport\r\nduration\r\nThis repeatedly sends a string to a host and connects for a specific duration.\r\nPayload:\r\n /x50/x33/x43/x4B/x24/x54/x20/x47/x38/x33/x41/x52/x44/x20/x30/x4E/x20/x54/x30/x50/x20/x50/x38/x54/x43/x48/x20\r\n P3CK$T G83ARD 0N T0P P8TCH IT B\"BY\r\narguments:\r\nhostname\r\nport\r\nduration\r\nHere all the process’ children are SIGKILL’d.\r\nI think I’ve covered fairly well the main functionality of this bot, but I’ve left some of the arguments as unused or\r\nundefinied. I belive most of these are for setting a flag in the packet, but I’m not confident on that.\r\nMany of the commands are quite similar in their functionality, so it’s possible that I’ve missed some details.\r\nOverall, it does what it’s meant to do and there aren’t fancy tricks.\r\nDistribution URLs\r\nC\u0026C addresses\r\nAll of these have been extracted from URLhaus.\r\n1/1/21 - Initial\r\n2/1/21 - Add Overview and IOCs\r\nSource: https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nhttps://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/"
	],
	"report_names": [
		"malware-sbidiot-dec2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775439047,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f02b780c0e7f7543aa7fd32929580c8024386c9d.pdf",
		"text": "https://archive.orkl.eu/f02b780c0e7f7543aa7fd32929580c8024386c9d.txt",
		"img": "https://archive.orkl.eu/f02b780c0e7f7543aa7fd32929580c8024386c9d.jpg"
	}
}