A new botnet is actively targeting IoT devices using payloads compiled for a dozen CPU architectures and uses them to launch several types of DDoS and to spread various types of malware.
The Dark Nexus botnet as it was named by the Bitdefender researchers who discovered it has gone through a very fast development process since it was initially spotted.
Around 40 different versions (from version 4.0 to 8.6) including new features and improvements have been released between December 2019 and March 2020 per Bitdefender’s report.
Based on strings found in the bot binaries and the names of the bot binaries, the malware is probably created by greek.Helios, a known botnet developer who advertises and sells DDoS services and botnet code since at least 2017.
A growing threat
While the malware reuses parts of the Qbot and Mirai source code, Dark Nexus’ developer has created its own core modules, including capabilities that allow it to deliver custom-tailored payloads for 12 different CPU architectures.
“In terms of devices that seem compromised by the dark_nexus, the list is pretty extensive, ranging from various router models, such as Dasan Zhone, Dlink, and ASUS, to video recorders and thermal cameras,” the researchers explain.
To find other IoT devices to infect and for reporting new additions to the botnet, Dark Nexus now uses both synchronous (sends payloads) and asynchronous (reports credentials to the command-and-control server) Telnet scanners.
Dark Nexus uses Telnet credential stuffing and exploits designed to abuse various security vulnerabilities to compromise a long list of router models.
In the past, the malware was observed while using remote code execution (RCE) and command injection exploits targeting several devices.
According to the IP addresses that attempted attacks matching Dark Nexus’ attack vector against Bitdefender’s honeypots, the botnet is currently comprised of around 1,372 bots.
However, given the rapid update pace and the huge number of potential IoT targets that can be compromised, this botnet can grow up in size very quickly.
“It’s likely more device models will be added as dark_nexus development continues,” Bitdefender’s researchers said.
Exotic DDoS attacks and SOCKS5 proxies
“The startup code of the bot resembles that of Qbot: it forks several times, blocks several signals and detaches itself from the terminal,” the report says.
“Then, in the vein of Mirai, it binds to a fixed port (7630), ensuring that a single instance of this bot can run on the device. The bot attempts to disguise itself by changing its name to ‘/bin/busybox’. Another feature borrowed from Mirai is the disabling of the watchdog by periodic ioctl calls on the virtual device.”
As Bitdefender also found, Dark Nexus uses a scoring system based on weights and thresholds designed to assess the risk posed by processes running on the compromised devices.
The malware then uses a ‘killer’ module that automatically terminates processes it deems dangerous that aren’t on a whitelist of processes it has spawned since infecting the device.
The attacks that can be launched using the botnet are standard DDoS attacks also seen in many other botnets but, in one of the supported variants of DDoS, Dark Nexus can also be asked to attempt to disguise the malicious traffic it throws at the target as innocuous HTTP traffic designed to mimic web browser traffic.
Bitdefender also discovered that Dark Nexus features a SOCKS5 proxy module since version 5.0, however, it’s not clear the reason why this was included.
“dark_nexus is not the first botnet to have such a feature: TheMoon, Gwmndy, Omg botnets and a certain Mirai variant have featured socks5 proxies before,” the researchers say. “A possible motivation would be selling access to these proxies on underground forums. However, we have not found evidence of this yet.”
To gain persistence on the compromised devices, earlier versions of the malware didn’t even attempt the tried and tested tactics used by other botnets. Instead, there removed permissions from executables used to restart the infected devices.
Newer iterations of the malware use a persistence script that will write sets of commands used for automated initialization to the /etc/init.d/rcS or the /home/start.sh files. Dark Nexus will also clear all iptables rules to make sure that C&C communications and DDoS payloads will not be filtered.
To defend your IoT devices against attacks launched by the Dark Nexus botnet you should immediately change their default admin credentials and disable remote access over the Internet.