A new IoT botnet discovered by Bitdefender researchers has features and capabilities that can potentially be used for DDoS attacks by recruiting IoT devices and striking various infrastructure networks. More and more home IoT devices are being connected to organisational networks as people across the globe work from home, increasing the potency of the botnet.
The botnet was caught in a honeypot operated by Bitdefender, said the company’s threat research and reporting director Bogdan Botezatu. It uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic.
Spotted in December 2019, the botnet has had frequent updates, with 30 versions recorded in its three months of existence. Each binary contains a helpful versioning string, leading to the name “dark_nexus”.
“We tend to name malware based on strings that are present inside the binary files we analyse. In this case, the string "dark_nexus" is present in a message that it prints in its banner message, so we thought this string is specific enough and does not infringe on any recommendations in the CARO naming scheme,” Botezatu told SC Media UK.
“The botnet scans the internet for vulnerable devices and attempts to hijack them using specific techniques. This is a botnet that undergoes heavy development - the operators are improving their tactics to hijack vulnerable devices and, if our assumptions about attribution are correct, its developer is a skilled bot-master with quite some experience behind.” Dark_nexus has the marks of being created by a commercial threat actor that has quite a history with developing IoT malware, making it easier to deduce who the maker could be, said Botezatu.
“Using YouTube videos demoing some of his past work and posting offerings on various cyber-criminal forums, greek.Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet.”
The damage this IoT botnet made till date is hard to assess, as DDoS attacks can only be traced back to IP addresses that are fixed, said Botezatu.
“However, most ISPs across the world allocate dynamic IPs so victims' visibility into DDoS attacks is really low. We presume that this botnet is in the growth phase and most likely, the attacker saves big DDoS attempts for a later time.”
The bot client is cross-compiled for 12-CPU architectures, giving it the capacity to infect a wide variety of devices including routers, digital video recorders (DVRs) and surveillance cameras. The most recent versions of the botnet also inject a SOCKSv5 proxy on the compromised systems, allowing attackers to route malicious traffic via them in addition to abusing them in DDoS attacks.
Although smaller in range with hardly 1200 devices, these features give the botnet immense damaging potential. Another prominent feature was its striking similarity to popular botnet Mirai, which helped Bitdefender deduce the possible creator of the botnet.
In 2016 Mirai made major websites inaccessible in the US, after a company that was managing crucial parts of the internet's infrastructure was under attack. Users reported problems reaching several websites.
Masahiro Yamada, associate vice-president, threat research at CYFIRMA, previously told SC Media UK that several campaigns recently targeted internet-facing systems using customised Mirai bots.
“In their recent campaigns, we identified evidence suggesting (Chinese threat group) MISSION2025 using customised Mirai bot to target Linux systems including network devices and IoT devices. The attack included bruteforce against telnet and SSH and also vulnerabilities exploits against DSL modems and GPON routers, D-Link and Netgear, Huawei routers, and Realtek SDK,” he said.