Latest Botnet Offers DDoS Attacks on Demand

The operator of a newly discovered botnet dubbed “Dark Nexus” is offering cybercriminals access to an array of capabilities, including the ability to launch distributed denial-of-service attacks on demand, according to the security firm Bitdefender.

See Also: Threat Intelligence and the Limits of Malware Analysis

The botnet, discovered in December 2019, is built on top of the same malicious code that created the infamous Mirai and Qbot botnets, says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

For as little as $20 per month, cybercriminals – even those with limited computer skills – can rent access to Dark Nexus and use it to launch DDoS attacks or churn out spam campaigns, according to Bitdefender.

“The purpose of Dark Nexus seems to be DDoS attacks on demand,” Botezatu tells Information Security Media Group. “Analyzing the bot’s capabilities, as well as the way the author advertises the malware, we can definitely tell that it is designed for rental to actors in the DDoS market.”

Bitdefender’s honeypots have found over 1,370 infected connected devices, such as internet of things devices and routers, that make up the Dark Nexus botnet, and more are being added each day, Botezatu says. The majority of these devices are located in South Korea, but others have been found in China, Thailand and Brazil, according to the new research report.

“We have witnessed increased activity in Dark Nexus in the past few months, which indicates that the botnet is expanding,” Botezatu says.

Botnet’s Features

Researchers have already discovered 30 variations of the Dark Nexus botnet as its operator adds features and refines its code, he says.

To infect new devices, the botnet uses credential-stuffing techniques to guess combinations of passwords and usernames for connected devices.

Once the Dark Nexus malware has taken over a device, it uses techniques similar to Mirai to maintain its presence. For example, it binds itself to port 7630 to block other botnets and renames itself as “/bin/busybox” to hide from security checks, according to the report.

After it has taken over a device, Dark Nexus then connects to a command-and-control server to receive new code and instructions from its operator.

The botnet also has unique features and modules that are built on top of the older Mirai and Qbot code. These include a payload that is designed for 12 CPU architectures, which means it can spread and infect many more connected devices than older botnets, the report notes.

Another feature enables Dark Nexus to maintain “supremacy” within a compromised device, according to the report. The botnet maintains its own scoring system, which weighs what processes might pose a risk to its presence. It then eliminates those processes that could stop it from working.

“This involves maintaining a list of whitelisted processes and their process identifiers and killing every other process that crosses a threshold of suspicion,” Botezatu says.

Dark Nexus also attempts to prevent an infected devices from rebooting by stopping the cron service, which is used to schedule tasks in IoT devices and routers, and removes permissions for executables that could be used to reboot the device, according to the report.

The Bitfender report finds that Dark Nexus was likely created by an underground developer known as “greek.Helios,” who has been known to offer DDoS attack services for sale and rent on underground dark net forums.

Other Botnets

Dark Nexus is one of several new botnets that researchers have discovered in recent months.

For example, last month, researchers at security firm Guardicore Labs described a botnet called Vollgar, which has targeted more than 3,000 vulnerable devices running Microsoft SQL Server databases. The botnet has the ability to plant cryptominers within these infected databases (see: Botnet Targets Devices Running Microsoft SQL Server: Report).