Threat Intelligence: Analysis of the SBIDIOT IoT Malware



When executed, the instance tries to hook up with its C2, which on this case is an IP deal with and port which can be hard-coded into the binary. Though the C2 infrastructure was not operational on the time of the investigation, we had been capable of pressure the pattern to speak with their very own server as C2. Coupled with static evaluation, this was sufficient to rapidly determine the protocol and begin interacting.

The perform answerable for processing instructions compares every command obtained from C2 with one of many following strings:

  • TCP
  • HTTPSTOMP
  • EVERYTHING
  • HEX
  • HOURS
  • VOX
  • NFO
  • UDP
  • UDPH
  • R6
  • FN
  • OVHKILL
  • NFOKILL
  • STOP
  • Cease
  • cease

Primarily based on the outcomes, it then performs a number of validation checks on its arguments earlier than executing the precise command.

Instructions supported by SBIDIOT

TCP

The TCP command asks the bot to ship TCP segments destined for a particular host / port mixture for a particular time interval. As well as, the operator can set various optionally available TCP flags.



Source link

Leave a Comment