Cybersecurity researchers have discovered a new IoT botnet, tracked as Dark Nexus. The new botnet can be used to launch distributed denial-of-service (DDoS) attacks. Dark nexus has compromised hundreds of IoT devices, including routers from Dasan Zhone, Dlink, and ASUS, video recorders, and thermal cameras.
Researchers from cybersecurity firm Bitdefender said in a post that the new botnet packs a range of features and capabilities that go beyond those typically found in today’s botnets. The name Dark Nexus comes from the strings printed on the botnet banner.
Dark Nexus borrows ideas and features from previously successful IoT threats like Qbot and Mirai; however, the threat is largely an original creation by an established malware developer who advertises distributed denial-of-service (DDoS) services on YouTube and other social media websites.
“While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust,” Bitdefender says. “For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.”
Dark nexus also comes armed with an innovative module for enabling persistence and detection evasion, which researchers say “puts to shame” other botnets.
What are botnets?
Botnets are networks of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attacks, steal data, launch spam campaigns en masse, send spam, and allows the attacker to access the device and its connection.
“Much like the scanners employed by other widespread botnets […] the scanner is implemented as a finite state machine modeling the Telnet protocol and the subsequent infection steps, in which the attacker issues commands adaptively based on the output of previous commands,” Bitdefender explained.
“The startup code of the bot resembles that of Qbot: it forks several times, blocks several signals, and detaches itself from the terminal,” continues Bitdefender.
“Then, in the vein of Mirai, it binds to a fixed port (7630), ensuring that a single instance of this bot can run on the device. The bot attempts to disguise itself by changing its name to ‘/bin/busybox.’ Another feature borrowed from Mirai is the disabling of the watchdog by periodic ioctl calls on the virtual device.”
The infrastructure is composed of several command-and-control (C2) servers (switchnets[.]net:30047 amd thiccnigga[.]me:30047), which issue remote commands to the infected bots, and reporting servers to which bots share details about vulnerable services. Next, the malware downloads the bot binaries, and other malware components from a hosting server (switchnets[.]net:80), and then executes them.
Another interesting feature implemented in the botnet is an attempt to prevent a device from rebooting. The commands stop the cron service and remove privileges to services that could be used to reboot the devices.
Dark nexus consists at least 1,372 infected devices, acting as a reverse proxy. Experts observed infections in China, South Korea, Thailand, Brazil, and Russia.
Dark Nexus developer
Researchers believe the developer of the botnet is greek. Helios, a known botnet author that has been flogging DDoS services in underground forums for many years.
“Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek.Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet,” said researchers.
DDoS botnets targeted multiple organizations before; it was reported back in March that attackers used botnets to exploit multiple zero-day vulnerabilities in the DVRs of IP video manufacturer, LILIN.
Secure Your Organization’s Mind with Securemind.se