Dark_nexus Botnet

Malware researchers have spotted a new botnet operation dubbed the Dark_nexus Botnet. The operators of the Dark_nexus Botnet target IoT (Internet-of-Things) devices and regular computers, which means that they have a rather vast reach. It would appear that the individuals behind the Dark_nexus Botnet have used components from two other botnets – Qbot and Mirai. However, most of the features of the Dark_nexus Botnet seem to have been built from the ground up. For now, the Dark_nexus Botnet appears to be rather small. Despite its small size, the Dark_nexus Botnet seems to be more advanced and complex than most botnets that are based on the Mirai model.

Dark_Nexus, is one of the most complex botnets ever seen. The botnet, discovered by researchers with Bitdefender, is said to have more capabilities and features than the average botnet.

What is a Botnet?

A botnet is a network of machines, mobile devices, and Internet of Things (IoT) devices that have been taken over by some form of primary controller. The devices can be used as part of distributed denial-of-service attacks (DDoS attacks), spam campaigns, and much more.

The Dark_Nexus botnet, named for the strings on its banner, has similar code to Qbot and Mirai but is said to be completely original in terms of features and functions. Bitdefender says that, while the botnet is similar to other botnets, the way that the robust nature of the modules sets it apart from the crowd.

Researchers say the new botnet has been around for about three months. Three versions of Dark_Nexus have been released and uncovered during this time. Honeypots say that some 1,372 devices are connected to Dark_Nexus, with most of the bots coming from China, Brazil, Thailand, and The Republic of Korea.

Dark_nexus Botnet Performs Many Malicious Actions

The botnet employs credential-stuffing and other exploits to add a machine to the network. Dark_Nexus employs a synchronous and asynchronous module together. These modules use the Telnet protocol and a pre-made list of credentials to gain access to devices and include them in the botnet.

Bitdefender explained that the botnet uses a scanner to model the Telnet protocol and perform the infection. Attackers issue commands to affected devices by adapting them based on previous commands.

Dark_Nexus has a similar startup process to Qbot in that it implements several forks, blocks some signals, and then disconnects from the terminal. The botnet binds itself to port 7630, as Mirai does. It also renames itself fo /bin/busybox in an attempt to avoid discovery.

The botnet is capable of infecting many different types of computers. The payload is customized for 12 different CPU architectures and which payload the victim receives depends on their current setup.

How Dark_nexus Botnet is Different From Other Botnets

One thing that sets Dark_Nexus apart from the crowd is how it approaches persistence. The botnet uses what is best described as a "risk assessment" process based on existing processes. The code includes a whitelist and process identifiers to find processes considered to be okay. The botnet will kill any process that crosses the "threshold of suspicion."

Dark_Nexus connects to two different command-and-control servers, along with a report server, to obtain the latest reports on vulnerable services. The addresses for these servers are hardcoded into a download or reverse proxy feature. The reverse proxy feature turns machines in the botnet into proxies for the hosting server, which provides samples on a random port for the malware.

How the botnet launches an attack is similar to other botnets, with one exception. Dark_Nexus stands out because of the "browser_http_req" command. Bitdefender describes the command as being complex and configurable. They say the command allows the botnet to describe traffic it generates as innocuous traffic that a browser would create to make attacks more effective.

Another standout feature of the botnet is that it has the power to prevent devices from rebooting. The botnet compromises the cron service and removes permissions from executable files that could cause a computer restart.

Researchers believe the botnet was created by Greek.Helios, a botnet author seen selling DDoS services on the black market for several years.

Some versions of Dark_Nexus contained socks5 proxies, which have also been seen in botnets such as TheMoon and Mirai. Bitdefender says that they will continue to watch the development of the process but, so far, have yet to see it appear for sale on the black market.