dark_nexus IOT Malware

Just what we need malware that out competes other malware installed on IOT devices by analysing, ranking and killing other malicious services.

This Arstechnica gives a heads up on this new and potent malware describing it as “one of the most advanced Internet-of-things platforms ever seen”. The current detection rate globally is not huge but it sounds like this has the potential to spread rapidly.

The full report is provided by Bitdefender and shows the evolution of dark_nexus going back to December 2019. Its a pity they have hidden the IOC’s behind the paywall of their Threat Management service. But I guess they have to make money from the reports somehow.

Bitdefender report the key findings as:

  • Botnet used for DDoS services
  • Uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic
  • Synchronous and asynchronous Telnet scanners used for infection and victim reporting
  • Uses socks5 proxies, potentially for renting access to the botnet
  • Uses Telnet credential stuffing and exploits to compromise a long list of router models
  • Most compromised IoTs are based in Korea
  • Uses debugging module to maintain proper functionality and reliability of the device
  • Code compiled for 12 different CPU architectures and has dynamic downloader injection
  • Distributed binary hosting using each victim as a reverse proxy
  • New persistence tactic by removing device restart permissions
  • Frequently updated components, with over 30 versions in 3 months
  • Possibly created by greek.Helios, known botnet author who sells DDoS services and botnet code

Sources:

https://arstechnica.com/information-technology/2020/04/meet-dark_nexus-quite-possibly-the-most-potent-iot-botnet-ever/

https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf