Skip to main content

Dark Nexus: A New Emerging IoT Botnet Malware Spotted in the Wild !!

ddos botnet malware

Cybersecurity researchers have discovered a new emerging IoT botnet threat that leverages compromised smart devices to stage 'distributed denial-of-service' attacks, potentially triggered on-demand through platforms offering DDoS-for-hire services.

The botnet, named "dark_nexus" by Bitdefender researchers, works by employing credential stuffing attacks against a variety of devices, such as routers (from Dasan Zhone, Dlink, and ASUS), video recorders, and thermal cameras, to co-opt them into the botnet.

So far, dark_nexus comprises at least 1,372 bots, acting as a reverse proxy, spanning across various locations in China, South Korea, Thailand, Brazil, and Russia.

"While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust," the researchers said. "For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim's configuration."

Evidence gathered by Bitdefender points to greek.Helios as the individual behind the development of dark_nexus, who is a known botnet author infamous for selling DDoS services on social media platforms and using a YouTube channel to advertise its capabilities.


Inspired by known botnets Qbot and Mirai


Noting dark_nexus' similarities to Qbot banking malware and Mirai, Bitdefender researchers said its core modules are "mostly original" and that it's frequently updated, with over 30 versions released during the period from December 2019 to March 2020 (versions 4.0 through 8.6).

dark nexus botnet

"The startup code of the bot resembles that of Qbot: it forks several times, blocks several signals, and detaches itself from the terminal," the researchers said.

"Then, in the vein of Mirai, it binds to a fixed port (7630), ensuring that a single instance of this bot can run on the device. The bot attempts to disguise itself by changing its name to '/bin/busybox.' Another feature borrowed from Mirai is the disabling of the watchdog by periodic ioctl calls on the virtual device."

The infrastructure consists of several command-and-control (C2) servers (switchnets[.]net:30047 amd thiccnigga[.]me:30047), which issue remote commands to the infected bots, and reporting servers to which bots share details about vulnerable services (e.g., devices protected by default passwords).

Once the brute-force attack succeeds, the bot registers to the C2 server identifying the device's CPU architecture so as to transmit custom infection payload via Telnet, download bot binaries, and other malware components from a hosting server (switchnets[.]net:80), and execute them.

In addition, some versions of the botnet (4.0 to 5.3) come with a reverse proxy feature that lets the victim act as a proxy for the hosting server, thereby directing the infected device to download and store the necessary executables locally instead of having to connect to the central hosting server.

That's not all. dark_nexus comes with persistence commands that prevent the device from getting rebooted by stopping the cron service and removing privileges to services that could be used to reboot said device in question.

dark nexus iot botnet

"It also uses a technique meant to ensure 'supremacy' on the compromised device," Bitdefender observed.

"Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assessing which processes might pose a risk. This involves maintaining a list of whitelisted processes and their PIDs, and killing every other process that crosses a threshold (greater or equal to 100) of suspicion."

Your IoT Devices Are Up for Hire


The Mirai botnet, since its discovery in 2016, has been linked to a number of large-scale DDoS attacks. Since then, numerous variants of Mirai have sprung up, in part due to the availability of its source code on the Internet.

Botnet authors, likewise, have staged brute-force attacks on WordPress sites to insert Qbot banking trojan and download additional malware.

The fact that dark_nexus is built on the foundations of Mirai and Qbot is proof of the evolving tactics of botnet operators and inexperienced hackers alike, allowing them to add new functionality by exploiting a variety of vulnerabilities in poorly secured IoT devices and amass modern botnet armies.

"Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek. Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet," Bitdefender researchers concluded.


Source: The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...