The “dark_nexus” bot is named by Bitdefender researchers. It is not a Windows malware this time. The Linux ELF format executables on IoT devices are their targets. That is, the possible victims may be routers (from Dasan Zhone, Dlink, and ASUS), video recorders and so on. There are 12 kinds of CPU architectures of embedded Linux are possible to be infected. The bots inside victims form the dark_nexus botnet.

A message from the researches -

While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.

The “dark_nexus” is inspired by the notorious Qbot and Mirai bot. It uses credential stuffing attacks to break into the IoT devices. The credential stuffing attacks means the trying those stolen usernames and passwords on IoT devices. As many people know, there are already large amount of stolen login usernames and passwords through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

According to Bitdefender, cybercriminals can rent access to dark_nexus and use it to launch DDoS attacks to victims. Recently DDoS attacks are popular. For examples, two online games are in competition. The owner of online game A may rent DDoS to attack online game B secretly. Since users cannot play online game B while the DDoS is attacking, they may switch to online game A. Currently most VPS(Virtual Private Server) providers will warn if their virtual server outbreaks large volume of network traffics. It is not wise to rent several VPS to do DDoS attack. So the dark_nexus botnet will be a good anonymous weapon for cybercriminals. Fortunately this botnet is collapsed.

Lionic noticed this botnet immediately and check its own malware collection. So far there are 328 dark_nexus instances and still grows up. Since Lionic provides the Cloud-based Query for Anti-Virus, all customers which subscribed cloud anti-virus service of Lionic will be protected from this dark_nexus malware immediately. After one day, the IPS rules to protect against the infections of dark_nexus are developed and verified. All customers which subscribed Lionic’s Intrusion Prevention signature have the ability to block the infection of dark_nexus since then. Finally the customers obtained full protection from both anti-virus and anti-intrusion features of Lionic.

As your strong network security partner, we are keeping watching the security activities in the world. All customers who use Lionic/AegisLab products or signature services will be safe from this Dark Nexus threat.


About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.