The IoT botnet, named “dark_nexus” based on a string it prints in its banner, has the ability to launch a range of various DDoS attacks, disguise malicious web browser traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs. The botnet, say the researchers, has already infected over 1,300 devices – including video recorders, thermal cameras, and various home and small office routers – by guessing common administrator passwords and exploiting security vulnerabilities.
“While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust,” says Liviu Arsene, a senior cybersecurity analyst for Bitdefender. “For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.”
The botnet features a technique meant to ensure “supremacy” on the compromised device. Uniquely, say the researchers, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk by maintaining a list of whitelisted process and their PIDs, and killing every other process that crosses a threshold of suspicion.
The botnet can also kill the restart process, allowing it to run without any interruption while it delivers exploits and payloads using the compromised device. In the three months that Bitdefender has tracked it, dark_nexus has undergone 30 version updates, as its developer – most likely a known botnet author who has been selling DDoS services and botnet code for years – has steadily added more features and capabilities.
Currently, dark_nexus infections are most common in China, with the next four most affected countries being the Republic of Korea, Thailand, Brazil, and Russia. At the time of the report, there were 68 infections detected in the US. It’s likely, say the researchers, that more device models will be added as darknexus development continues.
For more, see the company’s white paper “New dark_nexus IoT Botnet Puts Others to Shame.”
IoT devices becoming ‘cyberweapon of choice’ for attackers
Cybersecurity expert shares top predictions for 2020
GE Appliances first to test devices with new UL IoT security rating
Free cybersecurity tool ‘thinks like a hacker’