Threat Watch

New “Dark_nexus” Botnet Used for DDoS

new botnet named “Dark_nexus” that compromises Internet-of-Things (IoT) devices appeared about three months ago and has taken control of at least 1,300 bots so far, according to researchers from Bitdefender. The malware code contains some references to other well-known botnet malware Mirai and Qbot, but most of Dark_nexus is new work which contains features which could position it as a major threat in the future. The botnet can be used to launch Distributed Denial of Service (DDoS) attacks against websites and is capable of disguising the attack traffic to appear as if it is from web browsers. That makes the DDoS traffic more difficult to detect and block. Spam email messages or phishing messages containing malware can be sent from the bots—this is a common technique used by many threat groups to spread malware. The Dark_nexus botnet also contains a SOCKS5 proxy feature, which could allow the threat actors controlling the botnet to lease access to others to relay their attacks through the bots and disguise the attackers’ actual IP address. The researchers have suggested that the creator of the Dark_nexus botnet may be a well-known botnet author going by the name “greek.Helios,” who sells DDoS services in criminal forums. The bot uses a variety of techniques to find and infect other devices, including using exploits against known vulnerabilities and attempting to log in to devices via Telnet using known default passwords.

ANALYST NOTES

Because so many low-cost IoT devices are deployed with default configurations and receive little to no support from the manufacturers, it is likely that IoT botnets will continue to thrive and be a threat long into the future. Ideally, organizations and individuals who operate IoT devices, especially those that can be accessed from the Internet, should change the passwords from the default values, update the firmware to patch known vulnerabilities if patches are available, and protect the devices from Telnet login attempts by limiting network access to only known and trusted IP address ranges. It is also important to monitor the network traffic from the devices to detect unusual or suspicious network traffic, which could indicate that the devices have been compromised. Businesses that operate public websites that are critical to sales or operations should consider using DDoS mitigation services that can keep the website available even if a botnet is attempting to flood the site with fake requests.
For more information, please see: https://www.zdnet.com/article/new-dark-nexus-botnet-outstrips-others-with-original-advanced-capabilities/