A new botnet has emerged which according to researchers have put other botnets like Mirai and Qbot to shame.
The researchers from cybersecurity firm Bitdefender stated that the new botnet dubbed as dark_nexus, has a wide range of features and capabilities which are far beyond those normally found in today’s botnets.
Botnets are networks of machines, Internet of Things (IoT) products, and mobile devices that have been compromised and enslaved to a main controller. These devices can be used to perform distributed denial-of-service (DDoS) attacks, launch spam campaigns and much more.
This botnet has been named Dark_nexus, due to strings printed on its banner and has code links to both Mirai and Qbot. But according to the team most of the botnet’s functions are original.
Bitdefender stated that even though it might share some features with previously known IoT botnets, some of its modules makes it significantly more potent and robust.
Dark_nexus has been there for three months and during this time, three different versions have been released. It is revealed that at least 1,372 bots connected to the botnet, with the majority being hosted in China, the Republic of Korea, Thailand, and Brazil.
To compromise a machine, the botnet makes use of credential-stuffing and exploits. Two modules, one synchronous and one asynchronous, are in use, but they will use the Telnet protocol and predefined credential lists to obtain access.
During startup, the botnet uses the same processes as Qbot; several forks are implemented, some signals are blocked, and then the botnet detaches itself from the terminal. In the same way as Mirai, the botnet will then bind itself to port 7630. In addition, the malware attempts to conceal its activities by renaming itself to /bin/busybox.
The botnet has a payload customized for a total of 12 different CPU architectures and is delivered depending on a victim’s configuration and setup.
The method used by Dark_nexus to maintain a foothold on a machine is unique — a form of ‘risk assessment’ conducted on existing processes. The malware’s code includes a list of whitelisted processes, together with their process identifiers, which dictates the processes that are considered okay. Everything that crosses a “threshold of suspicion” is killed.
The botnet connects to two command-and-control (C2) servers alongside a report server that receives reports of vulnerable services — containing both IP and port numbers.
Server addresses are either hardcoded into lightweight downloaders or a reverse proxy feature, and in some cases it is used to turn each victim as a proxy for the hosting server, which then serves the samples found on a random port.
Attacks launched by the botnet are typical with one exception — the browser_http_req command. This element is “highly complex and configurable,” and “it tries to disguise the traffic as innocuous traffic that could have been generated by a browser.”
It also has the feature to prevent a device from rebooting. The cron service is compromised and stopped, while permissions are also removed from executables that could restart a machine.
The botnet is believed to be developed by greek.Helios, a known botnet author.
The researchers also found socks5 proxies in some versions of the malware, a feature also found in botnets such as Mirai variants, TheMoon, and Gwmndy.