A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday. Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs.
Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a “new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen.” In the three months that Bitdefender has tracked it, dark_nexus has undergone 30 version updates, as its developer has steadily added more features and capabilities.
Significantly more potent
The malware has infected at least 1,372 devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues.
Referring to other IoT botnets, the researchers wrote in a report: “Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust.”
The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs including:
Bitdefender’s report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures.
The primary purpose of dark_nexus is to perform distributed denial-of-service attacks that take websites and other online services offline by flooding them with more junk traffic than they can handle. To make these assaults more effective, the malware has a mechanism that makes malicious traffic appear to be benign data sent by Web browsers.
Another advanced feature in dark_nexus gives the malware “supremacy” over any other malicious wares that may be installed on compromised devices. The supremacy mechanism uses a scoring system to assess the trustworthiness of various processes running on a device. Processes that are known to be benign are automatically whitelisted.
Dark_nexus can also kill restart processes, a feature that keeps the malware running for longer on a device since most IoT malware can’t survive a reboot. To make infections more stealthy, developers use already compromised devices to deliver exploits and payloads.
Who is greek helios?
Early versions of dark_nexus contain the string “@greek.helios” when they print their banner. That string also appeared in the 2018 release of “hoho,” a variant of the Marai malware. Both hoho and dark_nexus contain both Mirai and Qbot code. Bitdefender researchers soon found that “greek helios” is the name used by an online persona who sells IoT botnet malware and DDoS services. This Youtube channel hosted by a user named greek helios features several videos promoting the malware and services offered.
One video, Wednesday’s report said, shows a computer desktop with a shortcut to an IP address that as early as last December showed up in Bitdefender’s honeypot logs as a dark_nexus command-and-control server. These and several other clues led the researchers to suspect this individual is behind dark_nexus.