April 29, 2020
The “dark_nexus” bot is named by Bitdefender researchers. It is not a Windows malware this time. The Linux ELF format executables on IoT devices are their targets. That is, the possible victims may be routers (from Dasan Zhone, Dlink, and ASUS), video recorders and so on. There are 12 kinds of CPU architectures of embedded Linux are possible to be infected. The bots inside victims form the dark_nexus botnet.
A message from the researches -
While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.
The “dark_nexus” is inspired by the notorious Qbot and Mirai bot. It uses credential stuffing attacks to break into the IoT devices. The credential stuffing attacks means the trying those stolen usernames and passwords on IoT devices. As many people know, there are already large amount of stolen login usernames and passwords through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.
According to Bitdefender, cybercriminals can rent access to dark_nexus and use it to launch DDoS attacks to victims. Recently DDoS attacks are popular. For examples, two online games are in competition. The owner of online game A may rent DDoS to attack online game B secretly. Since users cannot play online game B while the DDoS is attacking, they may switch to online game A. Currently most VPS(Virtual Private Server) providers will warn if their virtual server outbreaks large volume of network traffics. It is not wise to rent several VPS to do DDoS attack. So the dark_nexus botnet will be a good anonymous weapon for cybercriminals. Fortunately this botnet is collapsed.
Lionic noticed this botnet immediately and check its own malware collection. So far there are 328 dark_nexus instances and still grows up. Since Lionic provides the Cloud-based Query for Anti-Virus, all customers which subscribed cloud anti-virus service of Lionic will be protected from this dark_nexus malware immediately. After one day, the IPS rules to protect against the infections of dark_nexus are developed and verified. All customers which subscribed Lionic’s Intrusion Prevention signature have the ability to block the infection of dark_nexus since then. Finally the customers obtained full protection from both anti-virus and anti-intrusion features of Lionic.
As your strong network security partner, we are keeping watching the security activities in the world. All customers who use Lionic/AegisLab products or signature services will be safe from this Dark Nexus threat.