Threat Database Malware SBIDIOT Malware


The proliferation of IoT (Internet-of-Things) devices continues to exhibit rapid growth in the industrial sector, especially. As such, cybercriminals have found a wide new pool of potential targets for malware infection. One of the latest threats designed to breach IoT devices specifically is called SBIDIOT Malware.

As with most IoT threats, the main goal of the SBIDIOT Malware is to incorporate all infected devices into a botnet. Although the computational power of botnets can be used in several different ways, the most prominent one is to launch DDoS attacks against specific targets. DDOS stands for Distributed Denial of Service - the devices in the botnet begin generating excessive load on the server chosen by the hackers, which will prevent users from accessing its services. One method that SBIDIOT Malware has been observed to use for proliferation is to exploit an RCE (Remote Code Execution) vulnerability in ZTE routers.

SBIDIOT Malware Functionality

Analysis of threat's code performed by the infosec researchers revealed that the SBIDIOT Malware is capable of performing a total of 16 commands received from the Command-and-Control (C2, C&C) server and matched against a list of strings. The C2's IP address and port are hard-coded into the binary of SBIDIOT. The full list is: TCP, HTTPSTOMP, VSE, HEX, STD, VOX, NFO, UDP, UDPH, R6, FN, OVHKILL, NFOKILL, STOP, Stop, stop.

Not surprisingly, nearly all of the actions performed by the threat are related to launching DDoS attacks through different methods and required arguments. For example, the HTTPSTOMP command is defined via an HTTP method, host/port combination, duration of the attack, and a count specifying how many times the operations will be repeated. The HEX, STD, R6, NFO, FN, OVHKILL, NFOKILL, and UDPH commands all call the same function that needs a host name, a port and a limit on the attack duration. It will then begin to generate UDP traffic with a fixed payload.

The major exceptions are the STOP, stop, and Stop commands. When initiated, they send a SIGKILL signal to all process IDs that are being tracked at the moment. This allows the threat actor to terminate the chosen process immediately.


Most Viewed