Rewterz Threat Alert – Dark Nexus – Emerging IoT Botnet Malware Spotted in the Wild

Severity

High

Analysis Summary

Cybersecurity researchers have discovered a new emerging IoT botnet threat that leverages compromised smart devices to launch ‘distributed denial-of-service’ attacks, potentially triggered on-demand through platforms offering DDoS-for-hire services. The botnet works by employing credential stuffing attacks against a variety of devices, such as routers (from Dasan Zhone, Dlink, and ASUS), video recorders, and thermal cameras, to co-opt them into the botnet. Researchers named the botnet “dark_nexus” based on a string it prints in its banner. In one of its earliest versions, it used this name in its user agent string when carrying out exploits over HTTP: “dark_NeXus_Qbot/4.0”, citing Qbot as its influence. Dark Nexus comes with some robust features like payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration. It also uses a technique meant to ensure “supremacy” on the compromised device. Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk. This involves maintaining a list of whitelisted process and their PIDs, and killing every other process that crosses a threshold of suspicion.

Features of the new botnet used for DDoS services: 
• Uses a DDoS tactic that disguises traffic as 
innocuous browser-generated traffic 
• Synchronous and asynchronous Telnet scanners 
used for infection and victim reporting 
• Uses socks5 proxies, potentially for renting access 
to the botnet 
• Uses Telnet credential stuffing and exploits to 
compromise a long list of router models 
• Most compromised IoTs are based in Korea 
• Uses debugging module to maintain proper 
functionality and reliability of the device 
• Code compiled for 12 different CPU architectures 
and has dynamic downloader injection 
• Distributed binary hosting using each victim as a 
reverse proxy 
• New persistence tactic by removing device restart 
permissions 
• Frequently updated components, with over 30 
versions in 3 months 
• Possibly created by greek.Helios, known botnet 
author who sells DDoS services and botnet code 

So far, dark_nexus comprises at least 1,372 bots, acting as a reverse proxy, spanning across various locations in China, South Korea, Thailand, Brazil, and Russia.

Impact

• Process Termination
• DDoS

Indicators of Compromise

SHA1

• 0028b4f8c11608fef555672e1a61cb9bdad1389d
• 022a65716f7e84a4cf036f943fa95ce15763a155
• 02d787f9a49648bc7a499815992672a195c7bc94
• 03c2ce10e35b0ae95c80a2e462be1fe31b2ea9c5
• 03dc6a47ecbeea3027eb4278b26af8825bef2d6b
• 03e780f9316c9cc853189df83c30650f32d0e476
• 058fe58e3dc6c77c19258e3a11bcd786d849363d
• 0671f6152569a646d820073b73cb1aef642a5f6c
• 069df92b74c9db557d42430d77fa0dd557a91f81
• 07d0dc0eccb7f77cccd9209c6240821d81ca386a
• 0a1817c7606d7eea7971266c4ed111036c855c4e
• 0a28e032e2626f9f730662a677033020b3de664d
• 0a88bf52a7ae160a46d6b6ded745737f3b703f6f
• 0a8bc057d9ed8c79eb9ae5fd8ca63fc1f75b2765
• 0ae6aba288ec79baafdb69ad08c19367a62100c5
• 0af068739a456de81b4fe4610c43c99dec220e45
• 0e686f05804d2d6d95c2cd9052d0789b602a0c46
• 0fa5bdea8b859cb685dffe35be1994c690dea3ba
• 0fb2775fd7eb74a82eca8d73dbdc57f7bc2fbf87
• 12efc8b92a99a3c7332226ef56b303f11680b0ce
• 133ed889e86b3b1b1589cc52f62f54e8b9399730
• 1480105172855e399a359d4a1eda5cc6cdc579bf
• 15c61aa0a32ffd80ff5da6606c947cec27c48e75
• 160f8c82426476dfa37cdfa9fcb703fa5d631d9d
• 1610bb2b66027ee4c3987886fa64e0bdb752499b
• 199f6e548ad366db2c92deb6f927be544e171aa3
• 1b7357b02198d12300182d6a1737af3637066ce6
• 1d2bf6f1f4a20f67cf9e6b316adbdbab16327f21
• 1e7a0a9b0bba806ac52a820aa7db451660bd8142
• 1ee5d79830e48bbd4ef96b3735f7dacd9b3d8100
• 1f20645abb7d943e8e32f8ffcaf944038ca90f77
• 20067b27808b2f2188f138cd02ee6c22071e334a
• 200c6be564bba578c72ff288449ddd9f4a21e2e5

SHA-256

• 342a361691a7cb68529330b4d66f44e78cab3adfd0774df1a46b6db6671e2c2d
• bc0457d7935e29aecb338756bde213cd18aa1b617b00d30c4deedd5eef9ba877
• 0c69b8d4b4fb85a6ac56a240424670016257bed3e4791185b21cd6abeda8c986
• 23cde5604f86d86239c571c104f2c3773526d9a6983baecf96f2fcd8b7941e5a
• de760e297b11773bb85deff4330a445a2ab9fe6538543e3d41a936707a4e9af4
• 2114560a1f3528c556a19f616b9c34b1fc8e07f5436c14433415f17f7b158755
• 565182c9ae294382287aecf71e394bce0d7291d62f15e0b648723879c98a7a59
• baa26609da4987c104c35d7536b05c70fda3028575014427014aed638d4c2e40
• 13750d86aebfa4df8176fb56b68ad515db024842ab2dd9a2cfa7f540f0849cc1
• c851fd9b9b5b1d70c3758bef59d6528f5230fedc0b972f20cd5bf72a129e5745
• 4bb51123933daf3e66537d74c88515952727a85f2da40b5a387dedc29afd1e11
• 9c13dea8cd761326a5c33a522e4cd03d86e63410b3dc0f6a64e76ff3d1ae097c
• a18014b4abe251051f44a224c58dc3550a6dc13c39e2bfe74cf303d838c4dbcf
• 36e7873870bcb5211f651b7f43c5f610d2fe4a884b743962f7e5e1a3a7b8772e
• 3fb6b9e1fdcaa8a3b9abb9660bbbf8bdb16661b013c898d868d1cbeb2aecca63
• c11c4f21123e3419108a04b25a1455e81af543de71fe627d98ea72581c6fdd35
• 1c081f5f726f2694e7ef4da0591cda8cbf314b7a21c2e5e67b616ff9449728e8
• 13079382ff84ee8a46c1e6d5c2e0f53b57635dbcffc69d4fa790f83991fef574
• f0595aaee8c7f8562bcfecfb6a1d7fc972e0e9802c40bc7c0375e567751dd4df
• 672716cb3b858e69e1fd403ce1d17f8934388d29d721d92ab111567518429c77
• 661ca273e17479dbfbb75c44eb211cda9c4d2ebe91cd42a3d9496b9f966baf1e
• 464e3c77eb95ee8f59a2d165c0081572d8f04a64bb4db9b195bbe0864fdc912f
• 36bb895a4fe512828cfbe3b63006d4392e48265e1c7b1b811cb55af6308f378c
• 4660c261e8f68dbd574c910df1e48941252176c434b8714375eb6201548ecb3e
• 6baaebc351f7d1104afb2f168d14896c1a377c89bf1ea650f46325e6dc6df575
• 2413caa2520cd85ce1055c37dab6cd87257618744127a67b57134b2e846e915c
• 692b8fc8657a009e523214c7dcc566168b6fd057d0c0f9e040623261a77e8dc2
• 68cf5d8641218d1042e2bdc28fbf3f7a525b1bd790db9f30f16b61c6fd879030
• 69faa19b3378946b827f3ed7cb85347b6be9ef2ba0103b4c156ed9977ed6d9cb
• ac3bd662791cfb3e3450c79a967f9988701b0e39e90021fdd4c160cf20f1971d
• 97c0d804532763b957ba0b126f1479e48feb4c915701a693025137aa2e610103
• b8911afb77d67b6b07eaedd087383e64a75c212bc7828fed73cded1027e6c0cb
• e3f015f701b4a95d7e121b8e809ee77638d469d759b49d963edc6f53170f03d3

Remediation

• Block the threat indicators at their respective controls. 
• Keep all software updated to latest versions.