Rewterz Threat Alert – Dark Nexus – Emerging IoT Botnet Malware Spotted in the Wild
Severity
High
Analysis Summary
Cybersecurity researchers have discovered a new emerging IoT botnet threat that leverages compromised smart devices to launch ‘distributed denial-of-service’ attacks, potentially triggered on-demand through platforms offering DDoS-for-hire services. The botnet works by employing credential stuffing attacks against a variety of devices, such as routers (from Dasan Zhone, Dlink, and ASUS), video recorders, and thermal cameras, to co-opt them into the botnet. Researchers named the botnet “dark_nexus” based on a string it prints in its banner. In one of its earliest versions, it used this name in its user agent string when carrying out exploits over HTTP: “dark_NeXus_Qbot/4.0”, citing Qbot as its influence. Dark Nexus comes with some robust features like payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration. It also uses a technique meant to ensure “supremacy” on the compromised device. Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk. This involves maintaining a list of whitelisted process and their PIDs, and killing every other process that crosses a threshold of suspicion.
Features of the new botnet used for DDoS services: • Uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic • Synchronous and asynchronous Telnet scanners used for infection and victim reporting • Uses socks5 proxies, potentially for renting access to the botnet • Uses Telnet credential stuffing and exploits to compromise a long list of router models • Most compromised IoTs are based in Korea • Uses debugging module to maintain proper functionality and reliability of the device • Code compiled for 12 different CPU architectures and has dynamic downloader injection • Distributed binary hosting using each victim as a reverse proxy • New persistence tactic by removing device restart permissions • Frequently updated components, with over 30 versions in 3 months • Possibly created by greek.Helios, known botnet author who sells DDoS services and botnet code
So far, dark_nexus comprises at least 1,372 bots, acting as a reverse proxy, spanning across various locations in China, South Korea, Thailand, Brazil, and Russia.