New discovered Dark Nexus, Botnet that’s unlike others, says Bitdefender Research
With the industries and nations moving towards the digital age, IoT is going mainstream. IoT devices and sensors are proliferating due to their multi-purpose application and lower prices. However, like every disruptive technology, danger and threats from cybercriminals have attempted to attack the IoT system. Their primary malicious weapon is a botnet. From Mirai to Kaiji to Gafgyt, each of these botnets has a wrecked target system. Further, once again posed a question on how safe is our gadgets and devices. One of the most recent, dark_nexus, has the tag of potent and robust than other IoT botnets, according to Bitdefender’s security researchers.
An IoT botnet is a group of hacked computers, smart appliances, and Internet-connected devices that have been exploited for illicit purposes. Typically botnet uses a host of remotely accessible computers without the owners’ knowledge and set up to forward transmissions to other computers on the Internet.
This botnet (dark_nexus) has features and capabilities that can potentially be used for DDoS attacks by recruiting IoT devices and striking various infrastructure networks. “It was caught in a honeypot operated by Bitdefender,” says the company’s threat research and reporting director BogdanBotezatu. It uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic. Bitdefender gave dark_nexus its name after featuring in its user agent string when carrying out exploits over HTTP: “dark_NeXus_Qbot/4.0”.
Researchers believe that the dark_nexusbotnet appears to have been developed by a known botnet author named greek.Heliossuspected of selling distributed denial of service (DDoS) in the past. The botnet’s payloads are compiled for 12 different CPU architectures and are dynamically delivered based on the victim’s configuration. The malware employed a scoring system to analyzes the system it is executing intheir perimeter intrusion detection systems (PIDs) and kills the processes that might hinder its’ progress. It uses Telnet scanners for infection and victim reporting, targeting a broad range of router models with Telnet credential stuffing and exploits. The Dark Nexus bot leaves a hefty network trail that is broadly divided into three categories: C&C (command and control) communication, Self-propagation, DDoS attacks.
“New dark_nexus IoT Botnet Puts Others to Shame,” said Bitdefender in a 22-page white paper released April 8 about the attacks. “For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration,” while also using a technique meant to ensure “supremacy” on the compromised device, according to the report. It has infected at least 1,372 devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Bitdefender’s report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures. Although dubbed as an original creation, dark_nexus borrows ideas and features from previously successful IoT threats like Qbot and Mirai. It was first spotted in December 2019 when it was in version 4. Since then, the botnet has had frequent updates, with 30 versions recorded in its three months of existence.
The botnet is supposedly composed of 1,372 bots, located in China (653), Korea (261), Thailand (172), Brazil (151), Russia (148), Taiwan (110), Ukraine (77), United States (68), India (46), and Vietnam (24). Recent versions also deploy a SOCKSv5 proxy on the compromised systems, allowing hackers to tunnel malicious traffic through them in addition to abusing them in DDoS attacks. “Dark Nexus is not the first botnet to have such a feature. TheMoon, Gwmndy, Omg botnets, and a certain Mirai variant have featured socks5 proxies before,” the Bitdefender researchers said in their report. The newer version copy commands to the /etc/init.d/rcS file, which is used during initialization, or to the /home/start.sh file, if this file exists. It also clears the IPtables rules to ensure that its communication with the command-and-control server. It also makes sure that any attacks, it launches are not blocked by the internal firewall.
The dark_nexusbotnet is being promoted for sale on YouTube, with advertised prices as low as about US$18.50 per month for 2,500 seconds of boot time. For about US$99 a month, attackers can buy unlimited access, making the botnet accessible to anyone with $20 and relatively basic computer skills to launch their own disruptions.
According to Botezatu, “To fight attacks from the dark_nexus botnet, consumers and companies must constantly audit their internal networks to identify connected IoT devices and run vulnerability assessments to discover unpatched or misconfigured devices before attackers do.” Another mitigation option is changing the default administrative credentials supplied with the devices and making sure their firmware is always up to date. Plus, one can restrict the admin interface to LAN.