A new IoT botnet, discovered by Bitdefender researchers, is named Dark Nexus. In one of its earliest versions, it used this name in its user agent string when carrying out exploits over HTTP: “dark_NeXus_Qbot/4.0”, citing Qbot as its influence. Although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. Some of its modules have been developed makes it significantly more potent and robust.
DDoS disguises traffic as browser-generated traffic
According to the whitepaper released by Bitdefender, Dark Nexus uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic. Dark Nexus also uses Telnet credential stuffing and exploits to compromise a long list of router models and most compromised IoTs are based in Korea. The code is compiled for 12 different CPU architectures and has dynamic downloader injection. Bitdefender also noted,
“Interestingly, dark_nexus seems to have been developed by a known botnet author who has been selling DDoS services and botnet code for years. Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek. Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet.”