New IoT Botnet Dark Nexus puts other botnets to shame

Bitdefender’s analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.

The attacks are pretty standard DDoS attacks common to many other botnets. The more interesting one is browser_ http_req, which is highly complex and configurable. It attempts to disguise the traffic as innocuous traffic that could have been generated by a browser

Based on the IPs that attacked its honeypots in the past week, Bitdefender analysts have determined that the botnet is comprised of at least 1,372 bots. Known victims are headed by China, followed by Korea, Thailand, Brazil, Russia, Taiwan and Ukraine. In terms of devices that seem compromised by the dark_nexus, the list is pretty extensive, ranging from various router models, such as Dasan Zhone, Dlink, and ASUS, to video recorders and thermal cameras. It’s likely more device models will be added as dark_nexus development continues.

Bitdefender believes that the Dark_Nexus botnet likely was developed by a botnet author known as “greek.Helios” who has been selling DDoS services and botnet code for years.