The IoT botnet, named "dark_nexus" based on a string it prints in its banner, has the ability to launch a range of various DDoS attacks, disguise malicious web browser traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs. The botnet, say the researchers, has already infected over 1,300 devices - including video recorders, thermal cameras, and various home and small office routers - by guessing common administrator passwords and exploiting security vulnerabilities.
"While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust," says Liviu Arsene, a senior cybersecurity analyst for Bitdefender. "For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim's configuration."
The botnet features a technique meant to ensure "supremacy" on the compromised device. Uniquely, say the researchers, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk by maintaining a list of whitelisted process and their PIDs, and killing every other process that crosses a threshold of suspicion.