A recently identified Internet of Things (IoT) botnet has modules developed in a manner that makes it significantly more “potent and robust” than other IoT botnets, Bitdefender’s security researchers say.
Dubbed dark_nexus and featuring a modular architecture, the threat shares some features with previously observed pieces of malware, and even reuses Qbot and Mirai code, but its core modules appear mostly original.
The botnet’s payloads are compiled for 12 different CPU architectures and are dynamically delivered based on the victim’s configuration. The malware was also observed using a scoring system to determine which processes might pose a threat to it, and killing those processes.
Supposedly the work of a known botnet author named greek.Helios, dark_nexus was designed for distributed denial of service (DDoS) services, and it can hide generated traffic as innocuous browser-generated traffic. The malware uses Telnet scanners for infection and victim reporting, targeting a broad range of router models with Telnet credential stuffing and exploits.
It also employs socks5 proxies — likely for renting access to the botnet — a debugging module to ensure proper functionality and reliability of the device, and it removes device restart permissions to achieve persistence, Bitdefender says in a report (PDF).
dark_nexus is believed to be around three months old, but has received over 30 updates during this period of time.
The botnet appears to be comprised of at least 1,372 bots, located in China (653), Korea (261), Thailand (172), Brazil (151), Russia (148), Taiwan (110), Ukraine (77), United States (68), India (46), and Vietnam (24).
Compromised devices range from routers (including Dasan Zhone, D-Link, and ASUS) to video recorders and thermal cameras. Given the rapid pace at which the botnet’s developer delivers updates, it’s likely that more device models will be targeted.
Bitdefender’s security researchers identified within dark_nexus’ code a series of strings that connect it to greek.Helios, who is believed to be the author of a Mirai variant called “hoho.”
Together with pieces of evidence from the malware author’s YouTube channel, and correlated with the fact that the developer sells DDoS services and botnet code, this led the researchers to the conclusion that greek.Helios built dark_nexus as well.