Emergence of the Dark_Nexus IoT Botnet: A New Threat to Cybersecurity
Cybersecurity experts have unveiled a sophisticated new IoT botnet known as “dark_nexus,” which is leveraging compromised smart devices to launch distributed denial-of-service (DDoS) attacks. This emerging threat can be triggered on demand through platforms offering DDoS-for-hire services, placing numerous organizations at risk.
The dark_nexus botnet has come to the forefront following extensive research by Bitdefender, which indicates that it employs credential stuffing attacks to hijack a wide range of devices, including routers from manufacturers such as Dasan Zhone, Dlink, and ASUS, along with video recorders and thermal cameras. Currently, the botnet comprises approximately 1,372 active bots that span across multiple countries, including China, South Korea, Thailand, Brazil, and Russia.
What sets dark_nexus apart from other notable IoT botnets like Mirai is its advanced module development that enhances its potency and resilience. The researchers underscore that dark_nexus modules are compiled for twelve different CPU architectures, allowing for dynamic payload delivery tailored to the victim’s configurations. The likely architect behind this botnet is an individual known as greek.Helios, a notorious figure in the cybercriminal landscape, who has gained attention for marketing DDoS services through social media and a YouTube channel.
Similarities between dark_nexus, Qbot, and Mirai are evident; however, the Bitdefender analysis emphasizes the originality of its core modules. The botnet has undergone rapid development, with over thirty versions released between December 2019 and March 2020. This agility underscores organized cyber adversaries’ ability to adapt to evolving security measures.
Researchers have observed that the dark_nexus startup code bears resemblance to Qbot, executing multiple forks while detaching from the terminal. It binds to a fixed port (7630) to ensure a single instance operates on the device, and disguises itself by altering its filename to ‘/bin/busybox.’ The botnet further employs a methodology borrowed from Mirai that disables watchdog processes using periodic ioctl calls, hindering reboots and system recoveries.
The operational framework of dark_nexus includes several command-and-control (C2) servers that issue remote commands to the infected devices and track details about vulnerable services. Upon successful brute-force entry, the bot connects to the C2 server, identifies the architecture of the device, and retrieves specific payloads via Telnet. Additionally, certain versions incorporate a reverse proxy feature to facilitate local downloading of essential executables instead of relying on a centralized hosting server.
Persistence mechanisms are integral to the dark_nexus functionality, which includes halting the cron service and removing reboot privileges to maintain control over the infected devices. Moreover, it employs a scoring system to assess which processes may pose a threat, allowing it to target and terminate potentially risky applications.
The dark_nexus botnet exemplifies the evolving landscape of cyber threats, expertly blending techniques from established botnets like Mirai and Qbot. By leveraging social engineering tactics, such as promoting capabilities on platforms frequented by potential malefactors, greek.Helios showcases a sophisticated understanding of IoT malware.
The emergence of dark_nexus serves as a reminder of the vulnerabilities inherent in IoT devices and underscores the importance of robust security measures. Business owners must remain vigilant, as the ongoing evolution of tactics used by cyber adversaries presents an increasing challenge in the realms of cybersecurity. Tools such as the MITRE ATT&CK framework can aid organizations in identifying potential adversarial tactics, techniques, and procedures, enabling them to better defend against such emerging threats.
