Dark_nexus botnet outstrips other malware with new, potent features

Researchers have found a botnet that borrows from Qbot and Mirai but goes much further in terms of power.
Written by Charlie Osborne, Contributing Writer

A new botnet has entered the threat landscape that researchers say "puts to shame" others on the scene, such as Mirai and Qbot.

On Wednesday, researchers from cybersecurity firm Bitdefender said the new botnet, dubbed "dark_nexus," packs a range of features and capabilities that go beyond those typically found in today's botnets. 

Botnets are networks of machines, Internet of Things (IoT) products, and mobile devices that have been compromised and enslaved to a main controller. Together, these devices can be used to perform distributed denial-of-service (DDoS) attacks, launch spam campaigns en masse, and more. 

Dark_nexus, named so due to strings printed on its banner, has code links to both Mirai and Qbot, but the team says the majority of the botnet's functions are original. 

"While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust," Bitdefender says. 

Dark_nexus has existed for three months and during this time, three different versions have been released. Honeypots have revealed that there are at least 1,372 bots connected to the botnet, with the majority being hosted in China, the Republic of Korea, Thailand, and Brazil. 

In order to compromise a machine after discovery, the botnet will use credential-stuffing and exploits. Two modules, one synchronous and one asynchronous, are in use, but both of which will attempt to use the Telnet protocol and predefined credential lists to obtain access. 

"Much like the scanners employed by other widespread botnets [...] the scanner is implemented as a finite state machine modeling the Telnet protocol and the subsequent infection steps, in which the attacker issues commands adaptively based on the output of previous commands," Bitdefender explained. 

During startup, the botnet uses the same processes as Qbot; several forks are implemented, some signals are blocked, and then the botnet detaches itself from the terminal. In the same way as Mirai, the botnet will then bind itself to port 7630. In addition, the malware attempts to conceal its activities by renaming itself to /bin/busybox. 

See also: This new variant of Mirai botnet malware is targeting network-attached storage devices

The botnet has a payload customized for a total of 12 different CPU architectures and is delivered depending on a victim's configuration and setup. 

Dark_nexus uses a rather unique approach to maintain a foothold on a machine -- a form of 'risk assessment' conducted on existing processes. A list of whitelisted processes is included in the malware's code, together with their process identifiers, which dictates the processes that are considered okay. Everything that crosses a "threshold of suspicion" is killed. 

The botnet connects to two command-and-control (C2) servers alongside a report server that receives reports of vulnerable services -- containing both IP and port numbers -- at the time of discovery.

Server addresses are either hardcoded into lightweight downloaders or a reverse proxy feature, in some cases, is used to turn each victim as a proxy for the hosting server, which then serves the samples found on a random port. 

CNET: Facebook pulls down fake accounts linked to Egypt and France

Attacks launched by the botnet are rather typical, with one exception -- the browser_http_req command. Bitdefender says this element is "highly complex and configurable," and "it attempts to disguise the traffic as innocuous traffic that could have been generated by a browser."

Another feature of interest is an attempt to prevent a device from rebooting. The cron service is compromised and stopped, while permissions are also removed from executables that could restart a machine. 

The developer of the botnet is believed to be greek.Helios, a known botnet author that has been flogging DDoS services in underground forums for a number of years. 

TechRepublic: Fraud prevention startup working on anonymous peer-to-peer verification network

The researchers also found socks5 proxies in some versions of the malware, a feature also found in botnets such as Mirai variants, TheMoon, and Gwmndy, and continue to watch the botnet's development with interest.

"A possible motivation would be selling access to these proxies on underground forums. However, we have not found evidence of this yet," Bitdefender says. 

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards