SBIDIOT IoT Malware: miner edition
By Brian Stadnicki
Published: 2022-01-02 · Archived: 2026-04-06 00:58:49 UTC
The SBIDIOT IoT malware was observed earlier this year in april. Recently I spotted a sample with a cryptominer
added on, so let’s see what’s changed.
The botnet’s main use is for DDOS attacks on game servers.
I took a look at one of the past versions of this malware:
3e948a7995faac6975af3c8c937c66e6b5733cb69dab5d2b87ba4c22e23ef136
It appears that the author could be selfrepnetis , who’s instagram is likely @selfrepnetis and @selfrepnetis_.
Based on the instagram, it appears that this botnet is likely being used for RebirthRebornV2 , RebirthVPN ,
RebirthReboot1.5 , Rebirth Stress Hub . This seems consistent with the OVH bypass patches listed when
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 1 of 12

googling the tag on Noirth.
It appears that SBIDIOT is related to DemonBot, whose source code is available on pastebin. It looks quite
similar, it’s possible that SBIDIOT is based on DemonBot.
Thanks to URLhaus, I believe I have the majority of the versions of SBIDIOT, 20 of them. Most of these names
are from the banner sent to the C&C server, some are from a string.
2020-05-20 - 2020-05-20 - Yakuza - URLhaus
2020-05-20 - 2020-05-21 - Yakuza - URLhaus
2020-05-26 - 2020-05-26 - HITECH - URLhaus
2020-06-01 - 2020-06-23 - JEW - URLhaus
2020-06-25 - 2020-07-01 - Yakuza - URLhaus
2020-08-21 - 2020-09-27 - Kosha - URLhaus - telnet brute forcer for spreading, based on a leaked source
2020-08-28 - 2020-08-30 - DGFA - URLhaus
2020-09-10 - 2020-09-12 - Yakuza/Zeroshell - URLhaus - exploits cve-2018-10561 in Huawei home
routers and CVE-2014-8361 in a Realtek SDK
2020-09-14 - 2020-09-16 - DFGA - URLhaus
2020-10-14 - 2020-10-14 - Iris - URLhaus
2020-10-16 - 2020-10-16 - Assassin II - URLhaus
2020-11-19 - 2020-11-19 - Fuze - URLhaus
2020-11-20 - 2020-11-20 - Fuze - URLhaus
2020-11-23 - 2020-11-23 - DGFA - URLhaus
2020-12-01 - 2020-12-01 - Yakuza - URLhaus - telnet brute forcer for spreading
2020-12-02 - 2020-12-03 - Yakuza - URLhaus
2020-12-04 - 2020-12-05 - RMT - URLhaus - clears bash history, logs, tmp, run. Removes netstat, kills
busybox, perl and python. Disables iptables and firewalld.
2020-12-14 - 2020-12-28 - DGFA - URLhaus
2021-12-03 - 2021-12-04 - Fuze - URLhaus
2021-12-22 - 2021-12-22 - Fuze - URLhaus
I’ll do an in-depth analysis of the latest version of the botnet, specifically
fc0ce41c62734d55e257fcfdfb9118fddb5f0b49646a5731e779570b751ba2ee
The analysis starts at a shell script, which does the following:
Download a binary for the specific architecture from 20.106.163.35 , [arch].keen.onion.1337
Names it SSH and runs
Downloads a generic shell script from 20.106.163.35 and names it systemd
Runs it with 37.187.95.110:443 and an unidentified address
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 2 of 12

20.106.163.35 appears to be an Azure virtual machine, and 37.187.95.110 appears to be OVH instance.
The binary downloaded is named cnrig , then it’s renamed to systemd . It’s likely this is CNRig, which is a
“Static CryptoNight CPU miner for Linux”.
The binary named [arch].keen.onion.1337 is the main malware binary that I’ll be analysing.
As with previous versions, this is packed with UPX and later modified.
The modification here is again, the same as previous versions, changing the UPX! signature for YTS\x99 .
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 3 of 12

Once the instances of YTS\x99 are replaced with UPX! , it can be unpacked.
Main
First of all, the seeds for the generation of garbage data for most packet attacks are generated.
Then it attempts to connect to 8.8.8.8 to make sure there is internet access.
If there is internet, then it reads /proc/net/route up until \t00000000\t to get the name of the default
gateway, and sets the socket to use that gateway.
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 4 of 12

It attempts to fork itself, where if the exit code is unsucessful then it exits.
The bot now sends a coloured banner to the command server, [Fuze] [ %s ] [ %s ] . The text, apart from the
brackets, is coloured red. The first %s contains the architecture, and the second contains the address of the
command server.
Because of the command server address being sent and it being coloured, I believe that when the command server
receives this, it prints it directly to a console/logs for the owner to read.
Command parsing
It appears that first whitespace is trimmed from the start and end of the input command’s data.
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 5 of 12

The command word itself is at the start of the packet.
The number of arguments is determined.
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 6 of 12

C&C commands
When SBIDIOT was released, there was originally 16 commands, now there are 41 commands:
ALPHA, HXTPA, R6, PUBG, FN, 2K, ARK, BO4, FUZE, OVHHEX, OVHRAW, CHOOPA, LAGOUT, HYDRASYN, NFOV6, HOTSPOT, UDPRA
However, there are only 11 functions, many of these are different names for the same action.
The C&C server’s address is still hardcoded, in this case at 54.37.79.0:666 , another OVH server.
The ALPHA command is used to send TCP segments to a specfic host and port for a set period of time.
Arguments:
address
unidentified
time length
unidentified
tcp flags
packet length (maybe)
number of packets to send
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 7 of 12

The HXTPA command is used to send HTTP 1.1 PATCH requests to a specific hostname for a set period of time.
The useragent is picked randomly from a list.
Arguments:
hostname
port
time length
number of packets
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 8 of 12

The GAME commands appear to be a group of commands related to games, all calling the same function, but with
different names.
Commands: R6, PUBG, FN, 2K, ARK, BO4.
arguments:
address
appears unused
duration
socket type
data send seed
number of packets to send
pause every number of packets
duration of pause
This group of commands sends a byte to a host over a socket, connects and then waits for a set duration before
closing it.
Commands: FUZE, OVHHEX, OVHRAW, CHOOPA, LAGOUT, HYDRASYN, NFOV6, HOTSPOT,
UDPRAPE, CF-DOWN, OVHEXP, HYDRA, OVH-TCP, ARCADE, REVENGE, WIFI, FUCK, SHIT, KYS,
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 9 of 12

STOMP, CRUSH, RAW.
The byte sent over is randomly picked from /73x/6ax/x4a , and interestingly, the length of this data sent is
randomly picked between 1093 and 1193, with odds of 19:41.
arguments:
hostname
port
duration
This simply sends packets to an address several times for a duration.
arguments:
address
undetermined
duration
packet length
packet count
magic value
This sends a packet to a host, connects and then waits before closing it.
Interestingly, the packet payload is:
Payload:
 4E/x31/x6B/x4B/x31/x20/x21/x73/x69/x20/x4D/x33/x75/x79/x20/x4C/x30/x56/x72/x33/x20/x3C/x33/x20/x50/x61/x32/x
 N1kK1 !si M3uy L0Vr3 <3 Pa2rCH M2 A44rCK
Make of that what you will.
arguments:
hostname
port
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 10 of 12

duration
packet length
This sends packets to an address for a duration.
arguments:
address
possibly packet type
duration
undetermined
packet length
packet count
HTTPSTOMP sends a HTTP request to a specified host a set number of times and with a duration. The user agent
is random, and the path is hardcoded bytes it seems.
Afterwards, it sends requests to /cdn-cgi/l/chk_captcha , in order to try to bypass a cloudfare captcha.
Payload: /x78/xA3/x69/x6A/x20/x44/x61/x6E/x6B/x65/x73/x74/x20/x53/x34/xB4/x42/x03/x23/x07/x82/x05/x84/xA4/xD2/x
arguments:
http operation
address
port
unused
duration
packet count
This command sends packets to a host for a duration, pausing sometimes.
arguments:
hostname
undetermined
duration
undetermined
packet length
packet count
pause threshold
pause duration
These commands send some data to a host, then connects and disconnects after a set period of time.
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 11 of 12

Payload: /x6f/x58/x22/x2e/x04/x92/x04/xa4/x42/x94/xb4/xf4/x44/xf4/x94/xd2/x04/xb4/xc4/xd2/x05/x84/xb4/xa4/xa6/x
Commands: STD, CUH, OVH-TCP, ACID, HAMMED, HTTPS.
arguments:
hostname
port
duration
This repeatedly sends a string to a host and connects for a specific duration.
Payload:
 /x50/x33/x43/x4B/x24/x54/x20/x47/x38/x33/x41/x52/x44/x20/x30/x4E/x20/x54/x30/x50/x20/x50/x38/x54/x43/x48/x20
 P3CK$T G83ARD 0N T0P P8TCH IT B"BY
arguments:
hostname
port
duration
Here all the process’ children are SIGKILL’d.
I think I’ve covered fairly well the main functionality of this bot, but I’ve left some of the arguments as unused or
undefinied. I belive most of these are for setting a flag in the packet, but I’m not confident on that.
Many of the commands are quite similar in their functionality, so it’s possible that I’ve missed some details.
Overall, it does what it’s meant to do and there aren’t fancy tricks.
Distribution URLs
C&C addresses
All of these have been extracted from URLhaus.
1/1/21 - Initial
2/1/21 - Add Overview and IOCs
Source: https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/
Page 12 of 12