[FOCUS MALWARE] Dark_nexus, a new growing IOT botnet

Bitdefender’s cyber security researchers have discovered a new botnet targeting IoT devices. Named “dark_nexus”, it relies on credentials stuffing attacks to target various devices such as routers, thermal cameras or digital video recorders (DVRs) in order to integrate them into its botnet network and organize denial of service (DDoS) attacks. To date, Dark Nexus has compromised nearly 1,400 bots, the majority of which being located in China, South Korea, Thailand, Brazil and Russia.

A fearsome successor to the Mirai and Qbot botnets

Drawing inspiration from the Qbot and Mirai botnets, this new malware was allegedly developed by greek.Helios, a botnet developer known for selling DDoS services and botnet source codes on various social networks (Instagram, Skype, and Discord among others). However, Dark Nexus is mostly built on original modules, which make it much more dangerous. Its payloads are compiled for 12 different CPU architectures and dynamically delivered depending on the victim’s configuration, which enables it to infect many different types of devices to set up its attacks. Another advanced component of this malware is its ability to ensure “supremacy” over other malware that may be installed on infected devices. Dark Nexus relies on a weight and threshold scoring system that allows it to identify and kill unrecognized processes. This malware has not yet reached its full potential, as BitDefender researchers tracking Dark Nexus since December 2019 have identified at least 30 updates (from version 4.0 to version 8.6), the most recent dating back to March 11, 2020. 

Spreading and Modus Operandi

Dark Nexus spreads mainly by brute-forcing Telnet services with a large amount of default credential on weakly secured devices. Once it identifies an account on the target equipment, it proceeds with its attack using two modules, synchronous and asynchronous. The first sends a payload to the targeted device after authentication is successful; the second feeds back valid authentication information and the victim’s IP address to the Command and Control (C&C) server to receive commands for the attack. In some versions, Dark Nexus exploits vulnerabilities in the JAWS web server found in some DVRs and routers. In addition, it relies on several methods to ensure its persistence on infected devices. On one hand, it conceals itself by adopting the name “/bin/busybox”, a method borrowed from the Mirai botnet that renders it hardly identifiable. On the other hand, it includes a command preventing the infected device from rebooting by shutting down the cron service and removing privileges to services that could be used to reboot it.

Identifying Dark Nexus and protecting yourself from it

Researchers were able to identify the IP addresses and domain names associated with the devices infected by the malware. The Indicators of Compromise (IOC) were also imported to the GitHub development platform as a list of hashes for the files encountered during their investigation. Based on this new malware’s characteristics, it is possible to determine whether your own devices have been infected and to implement preventive measures.

To protect themselves from this new malware and all malicious software, users of connected objects should:

  • Change the default administrative authentication credentials of their devices
  • Ensure the firmware of their connected devices is up to date

As for businesses and Internet service providers, they must:

(Source : BitDefender)