New Silex malware is bricking IoT devices, has scary plans

Over 2,000 devices have been bricked in the span of a few hours. Attacks still ongoing.
Written by Catalin Cimpanu, Contributor

A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

Named Silex, this malware began operating earlier today, about three-four hours before this article's publication.

The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.

Attacks are still ongoing, and according to an interview with the malware's creator, they are about to intensify in the coming days.

How the Silex malware works

According to Akamai researcher Larry Cashdollar, who first spotted the malware earlier today, Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device.

It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners.

It's expected that some owners will most likely throw devices away, thinking they've had a hardware failure without knowing that they've been hit by malware.

Silex bad commands
Image: Larry Cashdollar

"It's using known default credentials for IoT devices to log in and kill the system," Cashdollar told ZDNet in an email today. "It's doing this by writing random data from /dev/random to any mounted storage it finds.

"I see in the binary it's calling fdisk -l which will list all disk partitions," Cashdollar added. "It then writes random data from /dev/random to any partitions it discovers."

"It's then deleting network configurations, [...] also, it's [running] rm -rf / which will delete anything it has missed."

"It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device," the researcher said.

Attacks carried out from Iranian server

"It's targeting any Unix-like system with default login credentials," Cashdollar told us. "The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS."

This also means Silex will trash Linux servers if they have Telnet ports open and if they're secured with poor or widely-used credentials.

"It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran," Cashdollar said when we inquired about the source of these attacks.

At the time of writing, the IP address has already been added on the URLhaus blacklist, after being reported by IoT malware researcher Rohit Bansal.

Who's behind the Silex malware?

With the help of NewSky Security researcher Ankit Anubhav, ZDNet reached out to the Silex malware author with a series of questions about his motives and grand master plan.

According to Anubhav, responsible for this destructive malware is a 14-year-old teenager going online by the pseudonym of Light Leafon.

Anubhav confirmed the hacker's identity by having him put a custom message on the Silex command and control (C&C) server, verifying that we were indeed talking to the actual Silex operator.

Prior to today, Light had created the HITO IoT botnet, and had been interviewed a month ago on an episode of Anubhav's podcast on IoT botnets and security.

Light said the project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex.

The teenager said he plans to develop the malware further and add even more destructive functions.

"It will be reworked to have the original BrickerBot functionality," Light told Anubhav and ZDNet.

Plans include adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use vulnerabilities to break into devices, similar to how most IoT botnets operate today.

"My friend Skiddy and I are going to rework the whole bot," Light told us. "It is going to target every single publicly known exploit that Mirai or Qbot load."

BrickerBot's legacy

The Silex malware is obviously inspired by the old BrickerBot strain, which was active between April and December 2017.

The BrickerBot author, known under the pseudonym of the Janit0r, claimed he permanently or temporarily destroyed over ten million IoT devices.

The Janit0r motivated the attacks as a form of protest against owners of smart devices that, at the time, were constantly getting infected with the Mirai DDoS malware.

The BrickerBot author argued that it would be better if the devices were destroyed, rather than sit around as cannon fodder for DDoS botnets, and haunting the internet for years.

The Janit0r's year-long bricking got some internet service providers to secure their networks against some attack vectors, albeit BrickerBot's impact could never be fully quantified.

But unlike the Janit0r, Light did not offer any motive for his actions, as of now. He didn't put out a manifesto like the Janit0r did after BrickerBot attacks began, to justify any of his actions.

As of now, all of the Silex attacks appear to have been carried out as a joke, or out of malice.

But while Light's actions seem malicious and petty, Anubhav described the teenager as "one of the most prominent and talented IoT threat actors at the moment"

"Its impressive and at the same time sad that Light, being a minor, is utilizing his talent in an illegal way," the researcher told ZDNet earlier today.

The bad news for Light is that unlike the BrickerBot author, who left a minimal trail of footprints that authorities could follow, Light might have made several OpSec mistakes along the way that may end up costing him in the long run.

When IoT/home automation devices explode

Related malware and cybercrime coverage:

Editorial standards