Bitdefender researchers have spotted a new IoT botnet that is used to launch distributed denial-of-service (DDoS) attacks. Dubbed Dark_Nexus (based on a string it prints in its banner), the botnet propagates using exploits and launching credential stuffing attacks against a wide range of devices, including routers (fr om Dasan Zhone, Dlink, and ASUS), video recorders, and thermal cameras.
While some of the botnet’s code has similarities with the Mirai and Qbot malware, its core modules are mostly original and are frequently updated. Bitdefender observed over 30 versions released between December 2019 and March 2020 (versions 4.0 through 8.6).
“The startup code of the bot resembles that of Qbot: it forks several times, blocks several signals and detaches itself from the terminal. Then, in the vein of Mirai, it binds to a fixed port (7630), ensuring that a single instance of this bot can run on the device. The bot attempts to disguise itself by changing its name to “/bin/busybox”. Another feature borrowed from Mirai is the disabling of the watchdog by periodic ioctl calls on the virtual device”, the researchers say.
“While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.”
The Dark_Nexus botnet appeared on the threat landscape three months ago; currently it comprises at least 1,372 bots, acting as a reverse proxy, spanning across various locations in China, South Korea, Thailand, Brazil, and Russia.
“The attacks are pretty standard DDoS attacks common to many other botnets. The more interesting one is browser_http_req, which is highly complex and configurable. It attempts to disguise the traffic as innocuous traffic that could have been generated by a browser,” according to the report.
The botnet infrastructure includes several command and control servers (switchnets[.]net:30047 and thiccnigga[.]me:30047), which send remote commands to the infected bots, reporting servers to which bots share details about vulnerable services, and hosting servers wh ere samples of the malware are hosted.
The domain switchnets[.]net, the researchers say, previously has been associated with other botnets, namely a couple of Mirai variants, the Mirai/Satori branches “Okosu” and “hoho”, and a Gafgyt-based botnet.
Once a brute-force attack succeeds, the bot registers to the C2 server providing details about the device, in turn, it receives from a hosting server a custom payload via Telnet and executes it.
Based on the found evidence, Bitdefender believes that the Dark_Nexus botnet may have been developed by a botnet author known as “greek.Helios” who has been selling DDoS services and botnet code for years.