Dark-Nexus Botnet

Cybersecurity experts have revealed a new IoT botnet, dubbed as Dark Nexus, that launches distributed denial-of-service (DDoS) attacks.

This is an emerging IoT type of botnet revealed by Bitdefender, and used to launch DDoS attacks.

The botnet working mechanism is spreading by exploiting and launching credential stuffing attacks against a wide range of IoT devices such as routers from ASUS, DLink, Dasan Zhone, thermal cameras, and video recorders.

Bitdefender revealed that ‘the scanners are used as a finite state machine that models Telnet protocol plus the other infection steps, the attacker provides commands basing on the output of previous commands’

The name itself “Dark Nexus” comes from strings which are printed on botnet banner, some experts have revealed that despite the originality of codes of botnet features they have some similarities with Qbot and Mirai.

Earlier this year, Dark Nexus appeared as a threat and have infected approximately 1,372 infected devices mirroring reverse proxy as its infections were observed by experts in Russia, Brazil, Thailand, South Korea, and China.

‘Despite it having the same features as other know IoT botnets, some of its modules have been altered, making it more potent and robust’ A security firm press release stated so.

A deep dive into Dark Nexus revealed some striking similarities to Mirai and Qbot banking Trojan, but its key modules are original.

As of March 2020, cyber-security experts observes there have been over 30 variations as its being updated regularly.

Researchers have extensively analyzed its impact on C2 infrastructure, which comprises of several servers, once the attack is successful, the bot is successful registers on C2 server which provides all the vital information of the device while receiving a custom payload via the Telnet. Experts have revealed customized payloads with at least 12 different CPU architectures.

The malware, in turn, fully downloads the bot binaries plus other components from the hosting server (switchnets[.]net:80) and finally executing them.

Experts have also detected some variations of Dark Nexus botnet (4.0 to 5.3), which runs a reverse proxy feature, which gives the permissions of acting as a proxy for the hosting server. This means that devices that have been infected will store all the executables locally rather than giving them access to the central C2 server.

One of the standout features implemented on the botnet is persistence commands that will prevent your device from being rebooted. This command halts cron service with the removal of special access to services that can be used to reboot the device.

As reported by Bitdefender, Dark Nexus is operated individually, which goes online as Greek Helios, an author of  IoT botnets employed in DDoS-for-hire services. He also advertises the botnets on YouTube.