sb-au logo
Story image

Bitdefender reveals new botnet which 'puts others to shame'

09 Apr 2020

Bitdefender has today announced its recent discovery of a new IoT botnet used for distributed denial-of-service (DDoS) attacks.

The botnet, which Bitdefender has dubbed ‘dark_nexus’ based on a string it puts in its banner, boasts new features and capabilities that ‘put to shame’ most other IoT botnets and malware that the cybersecurity has seen.

Analysis from Bitdefender has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original.

While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. 

For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.

The botnet uses common DDoS tactics seen in many other botnets. But Bitdefender has identified one highly complex and configurable DDoS tactic in dark_nexus’s architecture which disguises traffic as innocuous browser-generated traffic, adding a layer of stealth.

While only having existed for three months, dark_nexus has seen several updates, and each binary contains a versioning string which has become helpful to Bitdefender deciphering its origin and aim – recent binaries include the versioning string in the message used for registering to the CnC.

It also uses a technique meant to ensure “supremacy” on the compromised device. 

Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk, according to Bitdefender.

This involves maintaining a list of whitelisted process and their PIDs, and killing every other process that that crosses a threshold of suspicion.

The report says dark_nexus used the Qbot malware as a starting point in its development, but also showed signs of links to Mirai, as both dark_nexus and Mirai contain a similar string that they print as part of their banner. 

Bitdefender reports that dark_nexus seems to have been developed by a known botnet author who has been selling DDoS services and botnet code for years, who calls themselves greek.Helios.

This author provides hosting services for botnets and sells DDoS services and botnet code on social media.

They advertise their botnet on a YouTube channel, displaying the DDoS capabilities. 

Bitdefender used these videos to link dark_nexus’s authorship to greek.Helios, as in one video the viewer can see a shortcut for connecting to an IP evidenced in Bitdefender’s honeypot as a CnC and hosting server for a Mirai-based botnet.

Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek.Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet, according to the Bitdefender Investigations and Forensics Unit.

Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Data leakage concerns dominate cloud security perceptions - Bitglass report
How secure is the public cloud? That’s what many IT and security professionals are asking as data leakage becomes a pressing concern for organisations and their data protection strategies.More
Story image
CyberArk launches Forescout and Phosphorus integration to aid with IoT security
“Through our integration with Forescout and Phosphorus, CyberArk dramatically improves security and compliance, and alleviates the burden on IT and security teams."More
Story image
Why 2021 will be the year of catch-up
The transition to remote work and new online contactless business models is not temporary and is affecting the future strategy on how organisations invest in cybersecurity, writes Radware vice president and managing director for EMEA and LATAM, Rob Hartley.More
Story image
The retailer safety guide for the world of online shopping
Are you an online retailer? This guide details the threats that you need to be aware of to keep safe in the biggest ever year of online shopping.More
Story image
Ivanti extends ESM automation capabilities with latest additions
Ivanti has made additions to its Enterprise Service Management (ESM) portfolio, with greater automation capabilities between service management and SecOps. More