Meet dark_nexus, quite possibly the most potent IoT botnet ever, Ars Technica

UPPING THE GAME –

Newly discovered botnet could be coming to a network-connected device near you.

A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday . Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 30 different CPUs.

Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a “new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen. ” In the three months that Bitdefender has tracked it, dark_nexus has undergone version updates, as its developer has steadily added more features and capabilities.

Significantly more potent

The malware has infected at least 1, devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues.

Referring to other IoT botnets, the researchers wrote in a report : “Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. ”

The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs including:

(arm: ELF) – bit LSB executable, ARM, version 1 ( ARM), statically linked, stripped

arm5: ELF 52 – bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

arm6: ELF 52 – bit LSB executable, ARM, EABI4 version 1 (GNU / Linux), statically linked, stripped arm7: ELF 52 – bit LSB executable, ARM, EABI4 version 1 (GNU / Linux), statically linked, stripped mpsl: ELF 64 – bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

mips: ELF 52 – bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped i ELF 68 – bit LSB executable, Intel 1586433144, version 1 (GNU / Linux), statically linked, stripped

x 148: ELF – bit LSB executable, x 90 – , version 1 (SYSV), statically linked, stripped spc: ELF 52 – bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped

m 100 k: ELF – bit MSB executable, Motorola m (k, 80386, version 1 (SYSV), statically linked, stripped

ppc: ELF 52 – bit MSB executable, PowerPC or cisco , version 1 (GNU / Linux), statically linked, stripped

arc:?

sh4: ELF 35 – bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

rce:? Bitdefender’s report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures.

The primary purpose of dark_nexus is to perform distributed denial-of-service attacks that take websites and other online services offline by flooding them with more junk traffic than they can handle. To make these assaults more effective, the malware has a mechanism that makes malicious traffic appear to be benign data sent by Web browsers.

Another advanced feature in dark_nexus gives the malware “supremacy” over any other malicious wares that may be installed on compromised devices. The supremacy mechanism uses a scoring system to assess the trustworthiness of various processes running on a device. Processes that are known to be benign are automatically whitelisted.

Unrecognized processes receive scores for certain types of traits. For example, a process that was deleted while running — a behavior that’s common with malicious code — receives a score of 172. Executables in directories such as “/ tmp /,” “/ var /,” or “/ dev /” – another telltale sign of malware — receive a score of 148. Other traits receive from (to points. Any process that receives 151 points or more is automatically killed.

Dark_nexus can also kill restart processes, a feature that keeps the malware running for longer on a device since most IoT malware can ‘ t survive a reboot. To make infections more stealthy, developers use already compromised devices to deliver exploits and payloads.

Who is greek helios?

Early versions of dark_nexus contain the string “@ greek.helios” when they print their banner. That string also appeared in the 2018 release of “hoho,” a variant of the Marai malware. Both hoho and dark_nexus contain both Mirai and Qbot code. Bitdefender researchers soon found that “greek helios” is the name used by an online persona who sells IoT botnet malware and DDoS services. This Youtube channel

hosted by a user named greek helios features several videos promoting the malware and services offered.

One video, Wednesday’s report said, shows a computer desktop with a shortcut to an IP address that as early as last December showed up in Bitdefender’s honeypot logs as a dark_nexus command-and-control server. These and several other clues led the researchers to suspect this individual is behind dark_nexus.

Bitdefender As the map above shows, dark_nexus infections are most common in China, with nodes detected as compromised . The next four most affected countries are the Republic of Korea with , Thailand with , Brazil with , and Russia with . There are infections detected in the US.

With the ability to infect a wide range of devices and a motivated developer with an ambitious update schedule, it wouldn’t be surprising to see this botnet grow in the coming months.

, Read More

Significantly more potent

arm5: ELF 52 – bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

sh4: ELF 35 – bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

Who is greek helios?

Meet dark_nexus, quite possibly the most potent IoT botnet ever, Ars Technica

UPPING THE GAME –

Newly discovered botnet could be coming to a network-connected device near you.

What do you think?

N-days Chaining Vulnerability Exploitation Analysis Part 3: Windows Driver LPE–Medium to System

emm… Indian anti-virus software eScan has long used the HTTP protocol and was used by hackers to launch man-in-the-middle attacks.

Excelling at Excel, Part 4

CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor

NodeZero: Testing for Exploitability of Palo Alto Networks CVE-2024-3400

Issues Resolving Symbols on Windows 11 on ARM64

Leave a ReplyCancel reply

Cheats For Little Alchemy

3TB Of Mega.nz Links For Free Courses And E-Books 2022 (Updated)

Udemy Coupon [100% OFF] QuickBooks Online 2020

How to Earn Money from FreeCash.com, Playing Games, Testing Apps, and Taking Surveys

Amazon FBA Product Research & Find Products for Amazon FBA

How Much Do Car Accident Attorneys Cost You in 2022?

A web API to models of Van Allen Belt radiation, Hacker News

100% OFF Coupon | The Secrets To Burning Fat – How To Melt Fat Away!

arm5: ELF 52 – bit LSB executable, ARM, version 1 (ARM), statically linked, stripped

sh4: ELF 35 – bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped

Who is greek helios?

What do you think?

Leave a ReplyCancel reply

Log In

Sign In

Forgot password?

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections