Dark_Nexus: A New Emerging IoT Botnet Malware Spotted in the Wild

The botnet, named “dark_nexus” by Bitdefender researchers, works
by employing credential stuffing attacks against a variety of
devices, such as routers (from Dasan Zhone, Dlink, and ASUS), video
recorders, and thermal cameras, to co-opt them into the botnet.

So far, dark_nexus comprises at least 1,372 bots, acting as a
reverse proxy, spanning across various locations in China, South
Korea, Thailand, Brazil, and Russia.

“While it might share some features with previously known IoT
botnets, the way some of its modules have been developed makes it
significantly more potent and robust,” the researchers said. “For
example, payloads are compiled for 12 different CPU architectures
and dynamically delivered based on the victim’s configuration.”

Evidence gathered by Bitdefender points to greek.Helios as the
individual behind the development of dark_nexus, who is a known
botnet author infamous for selling DDoS services on social media
platforms and using a YouTube channel to advertise its
capabilities.

Inspired by known botnets Qbot and Mirai

Noting dark_nexus’ similarities to Qbot banking malware and Mirai,
Bitdefender researchers said its core modules are “mostly original”
and that it’s frequently updated, with over 30 versions released
during the period from December 2019 to March 2020 (versions 4.0
through 8.6).

“Then, in the vein of Mirai, it binds to a fixed port (7630),
ensuring that a single instance of this bot can run on the device.
The bot attempts to disguise itself by changing its name to
‘/bin/busybox.’ Another feature borrowed from Mirai is the
disabling of the watchdog by periodic ioctl calls on the virtual
device.”

The infrastructure consists of several command-and-control (C2)
servers (switchnets[.]net:30047 amd thiccnigga[.]me:30047), which
issue remote commands to the infected bots, and reporting servers
to which bots share details about vulnerable services (e.g.,
devices protected by default passwords).

Once the brute-force attack succeeds, the bot registers to the
C2 server identifying the device’s CPU architecture so as to
transmit custom infection payload via Telnet, download bot
binaries, and other malware components from a hosting server
(switchnets[.]net:80), and execute them.

In addition, some versions of the botnet (4.0 to 5.3) come with
a reverse proxy feature that lets the victim act as a proxy for the
hosting server, thereby directing the infected device to download
and store the necessary executables locally instead of having to
connect to the central hosting server.

That’s not all. dark_nexus comes with persistence commands that
prevent the device from getting rebooted by stopping the cron
service and removing privileges to services that could be used to
reboot said device in question.

“Uniquely, dark_nexus uses a scoring system based on weights and
thresholds to assessing which processes might pose a risk. This
involves maintaining a list of whitelisted processes and their
PIDs, and killing every other process that crosses a threshold
(greater or equal to 100) of suspicion.”

Your IoT Devices Are Up for Hire

The Mirai botnet, since its discovery in 2016, has been linked to a
number of large-scale DDoS attacks. Since then, numerous variants
of Mirai have sprung up, in part due to the availability of its
source code on the Internet.

Botnet authors, likewise, have staged brute-force attacks on
WordPress sites to insert Qbot banking trojan and download
additional malware.

The fact that dark_nexus is built on the foundations of Mirai
and Qbot is proof of the evolving tactics of botnet operators and
inexperienced hackers alike, allowing them to add new functionality
by exploiting a variety of vulnerabilities in poorly secured IoT
devices and amass modern botnet armies.

“Using YouTube videos demoing some of his past work and posting
offerings on various cybercriminal forums, greek.Helios seems to
have experience with IoT malware skills, honing them to the point
of developing the new dark_nexus botnet,” Bitdefender researchers
concluded.