Meet dark_nexus, quite possibly the most potent IoT botnet ever
A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday. Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs.
Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a “new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen.” In the three months that Bitdefender has tracked it, dark_nexus has undergone 30 version updates, as its developer has steadily added more features and capabilities.
Significantly more potent
The malware has infected at least 1,372 devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues.
Referring to other IoT botnets, the researchers wrote in a report: “Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust.”
The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs including:
- arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
- arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
- arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
- arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
- mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
- mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
- i586: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
- x86: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
- spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
- m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
- ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
- arc: ?
- sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
- rce: ?
Bitdefender’s report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures.
The primary purpose of dark_nexus is to perform distributed denial-of-service attacks that take websites and other online services offline by flooding them with more junk traffic than they can handle. To make these assaults more effective, the malware has a mechanism that makes malicious traffic appear to be benign data sent by Web browsers.
Another advanced feature in dark_nexus gives the malware “supremacy” over any other malicious wares that may be installed on compromised devices. The supremacy mechanism uses a scoring system to assess the trustworthiness of various processes running on a device. Processes that are known to be benign are automatically whitelisted.
Unrecognized processes receive scores for certain types of traits. For example, a process that was deleted while running—a behavior that’s common with malicious code— receives a score of 90. Executables in directories such as “/tmp/,” “/var/,” or “/dev/”—another telltale sign of malware—receive a score of 90. Other traits receive from 10 to 90 points. Any process that receives 100 points or more is automatically killed.
Dark_nexus can also kill restart processes, a feature that keeps the malware running for longer on a device since most IoT malware can’t survive a reboot. To make infections more stealthy, developers use already compromised devices to deliver exploits and payloads.
Who is greek helios?
Early versions of dark_nexus contain the string “@greek.helios” when they print their banner. That string also appeared in the 2018 release of “hoho,” a variant of the Marai malware. Both hoho and dark_nexus contain both Mirai and Qbot code. Bitdefender researchers soon found that “greek helios” is the name used by an online persona who sells IoT botnet malware and DDoS services. This Youtube channel hosted by a user named greek helios features several videos promoting the malware and services offered.
One video, Wednesday’s report said, shows a computer desktop with a shortcut to an IP address that as early as last December showed up in Bitdefender’s honeypot logs as a dark_nexus command-and-control server. These and several other clues led the researchers to suspect this individual is behind dark_nexus.
As the map above shows, dark_nexus infections are most common in China, with 653 nodes detected as compromised. The next four most affected countries are the Republic of Korea with 261, Thailand with 172, Brazil with 151, and Russia with 148. There are 68 infections detected in the US.
With the ability to infect a wide range of devices and a motivated developer with an ambitious update schedule, it wouldn’t be surprising to see this botnet grow in the coming months.