A new botnet has compromised hundreds of ASUS, D-Link and Dasan Zhone routers over the past three months, as well as Internet of Things (IoT) devices like video recorders and thermal cameras.
The botnet, called dark_nexus (based on a string it prints in its banner), uses processes similar to previous dangerous IoT threats like the Qbot banking malware and Mirai botnet. However, dark_nexus also comes armed with an innovative module for enabling persistence and detection evasion, which researchers say “puts other [botnets] to shame.”
“While [dark_nexus] might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust,” researchers with Bitdefender said in a Wednesday analysis. “For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.”
The discovery of dark_nexus comes as botnets continue to pose a formidable threat, compromising vulnerable internet-connected devices in order to peddle spam, distribute malware or flood systems with distributed denial of service (DDoS) attacks.
The Botnet
Dark_nexus uses Telnet credential stuffing (using a predefined credential list) and exploits to compromise devices, via two modules. Earlier versions of the botnet used exploits targeting flaws like the critical CVE-2019-7256, a command-injection vulnerability in Linear eMerge E3-Series, and an unauthenticated remote code-execution flaw in Netgear DGN1000 routers.
Dark_nexus also borrows code and processes previously used by Qbot and the infamous Mirai botnet that launched the 2016 Dyn DDos attack. Its startup code for instance acts similarly to Qbot, blocking several signals and detaching itself from the terminal. And, similar to Mirai, dark_nexus binds to a fixed port (7630), ensuring that a single instance of the bot can run on the device.
In another similarity to other botnets (TheMoon, Gwmndy and Omg botnet) researchers found socks5 proxies in some versions of dark_nexus, potentially used for renting access to the footprint.
Since it was first spotted in December, researchers estimate (based on honeypot evidence) that the botnet has compromised at least 1,372 devices worldwide. These are mainly based in South Korea but also are hosted in China, Thailand and Brazil. In comparison, Mirai had infected more than 600,000 IoT devices during its peak in November 2016.
New Features
Beyond these similarities, however, researchers point to the dark_nexus component lineup as a sign that the botnet it paving its own way. These modules are frequently updated, with 30 new versions found in three months.
Dark_nexus comes with tactics enabling detection evasion and persistence. The botnet uses a technique for launching DDoS attacks that cloaks traffic as innocuous, browser-generated traffic, helping it bypass detection, for instance. Once it infects a device, the bot also attempts to disguise itself by pretending to be a BusyBox (under the name /bin/busybox), a popular software suite that provides several Unix utilities in a single executable file.
Dark_nexus also comes with commands for removing restart permissions on compromised devices, thus enabling persistence. The commands try to prevent the device from rebooting by stopping the cron service (which is used to schedule tasks) and removing permissions for executables that could be used to reboot the device.
The botnet also uses a unique technique meant to ensure “supremacy” on the compromised device, researchers said: “Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk,” they said. “This involves maintaining a list of whitelisted process…and killing every other process that that crosses a threshold of suspicion.”
Other features used by the botnet include a debugging module to maintain proper functionality and reliability of the device. And, the botnet’s payload is customized for targeting 12 different CPU architectures – giving it more breadth in terms of the types and number of devices it can target.
In terms of attribution, researchers point to greek.Helios, a known botnet author who sells DDoS services and botnet code, as a possible creator of dark_nexus. Early dark_nexus binaries contains a string “@greek.helios” in their banner that was present in other botnets (such as in a 2018 Mirai variant called “hoho”).
“Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek.Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet,” said researchers.