sb-as logo
Story image

Bitdefender reveals new botnet which 'puts others to shame'

09 Apr 2020

Bitdefender has today announced its recent discovery of a new IoT botnet used for distributed denial-of-service (DDoS) attacks.

The botnet, which Bitdefender has dubbed ‘dark_nexus’ based on a string it puts in its banner, boasts new features and capabilities that ‘put to shame’ most other IoT botnets and malware that the cybersecurity has seen.

Analysis from Bitdefender has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original.

While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. 

For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.

The botnet uses common DDoS tactics seen in many other botnets. But Bitdefender has identified one highly complex and configurable DDoS tactic in dark_nexus’s architecture which disguises traffic as innocuous browser-generated traffic, adding a layer of stealth.

While only having existed for three months, dark_nexus has seen several updates, and each binary contains a versioning string which has become helpful to Bitdefender deciphering its origin and aim – recent binaries include the versioning string in the message used for registering to the CnC.

It also uses a technique meant to ensure “supremacy” on the compromised device. 

Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk, according to Bitdefender.

This involves maintaining a list of whitelisted process and their PIDs, and killing every other process that that crosses a threshold of suspicion.

The report says dark_nexus used the Qbot malware as a starting point in its development, but also showed signs of links to Mirai, as both dark_nexus and Mirai contain a similar string that they print as part of their banner. 

Bitdefender reports that dark_nexus seems to have been developed by a known botnet author who has been selling DDoS services and botnet code for years, who calls themselves greek.Helios.

This author provides hosting services for botnets and sells DDoS services and botnet code on social media.

They advertise their botnet on a YouTube channel, displaying the DDoS capabilities. 

Bitdefender used these videos to link dark_nexus’s authorship to greek.Helios, as in one video the viewer can see a shortcut for connecting to an IP evidenced in Bitdefender’s honeypot as a CnC and hosting server for a Mirai-based botnet.

Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek.Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet, according to the Bitdefender Investigations and Forensics Unit.

Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Video: 10 Minute IT Jams - Who is Okta?
Okta is an identity and access management company, specialising in secure user authentication. It's an enterprise-grade identity management service, built for the cloud, but compatible with many on-premises applications.More
Story image
Video: 10 Minute IT Jams - Radware VP on the challenges of cloud security
In this interview, Techday speaks to Radware vice president of technologies Yaniv Hoffman, who discusses the primary challenges facing IT organisations in terms of their cloud security apparatus.More
Story image
Barracuda expands MSP portfolio
Barracuda Networks has announced the expansion of its portfolio of solutions and services for IT managed service providers to include Barracuda CloudGen Access for MSPs. More
Story image
Hackers offering forged “official” COVID vaccination certificates and negative test results on dark net 
There has been a 350% increase in the number of advertisements selling alleged COVID vaccines within the last three months.More
Story image
Zscaler and CrowdStrike release integrations for end-to-end security
This collaboration between the two cloud-native security companies provides joint customers with adaptive, risk-based access control to private applications.More