Experts warn: new Dark_nexus IoT botnet in the wild


Fresh IoT botnet called Dark_nexus spotted on the landscape

Dark_nexus IoT malware

Dark_nexus IoT malware

Actively tracked by cybersecurity experts for quite a while, a rapidly elevating bonnet called Dark_nexus has been brought to the daylight, counting 1,372 bots under its authority. Revealed and investigated by the security vendor Bitdefender, the new cyber threat is expected to surpass the infamous Mirai and Qbot.[1] Featuring exceptional traits, Dark _nexus appears to be extremely powerful IoT botnet[2] gaining access and bringing connected devices like webcams, workout trackers, digital video recorders, routers, and similar devices using credential stuffing attacks. As Bitdefender explains:

The scanner is implemented as a finite state machine modeling the Telnet protocol and the subsequent infection steps, in which the attacker issues commands adaptively based on the output of previous command.

Copies ideas and features from Qbot and Mirai? Not at all

While the new IoT may raise discussions among experts about its similarity to Mirai[3] and Qbot, its analysis reveals that despite some general bonnet features, the newcomer has been designed by an original code.

According to experts, the newly revealed threat expands the range of potential bots by compelling the payloads with 12 diverse architectures. Moreover, dark_nexus malware developers put an effort to ensure full power over the compromised device. It initiates a comprehensive analysis of the system’s processes and uses a scoring system to blacklist and whitelist them. Any means that pose a risk to terminate Dark Nexus and prevent the device from being taken as bot are immediately terminated.

Cybersecurity experts admit that Dark Nexus stands out from the others to die to its tendency to update. It has already been renewed 30 times between December 2019 and March 2020. At the moment, Dark Nexus counts its versions from 4.0 to 8.6, incorporated 1,372 infected devices to its bot, and “successfully” outbreak in China, South Korea, Russia, Brazil, and Thailand.

At the moment, Dark Nexus is small if compared to the Mirai, which has infected over 600,000 vulnerable IoT devices at its peak. However, it is considered as having a huge “potential” due to its customized DDoS attack techniques, elaborate persistence mechanism, and other traits. Besides, Bogdan Botezatu expresses concern since billions of poorly protected IoT devices can be easily compromised.

IoT botnets have serious room to grow, and, if our assumptions on the botnet’s ownership are correct, we expect that Dark Nexus will become a significant botnet in the DDoS-for-hire space in the near future.

Smaller botnets like are typically exploited for spam and phishing email campaigns, while botnets like Mirai and Dark Nexus that are built of thousands of devices are used to initiate DDoS attacks against websites and servers.

Although zero DDoS attacks initiated by dark_nexus have been registered, it’s just a matter of time when websites such as Twitter, Facebook, Amazon, etc. or governmental institutions will fall under attack.

Experienced crooks behind the curtains

Bitdefender research team revealed a direct connection of Dark Nexus IoT bonnet and greek. Helios, who is already infamous for various developing botnets[4] and other malware. It seems to be the author of the new threat. He has been actively selling other DDoS services in various underground services. Although IT experts haven’t yet found offers to purchase the proxies of dark_nexus, it’s very likely to happen.

Even though IoT malware is tricky enough to find ways to infect devices, experts strongly recommend changing default administrative credentials and ensure a regular firmware updates. Moreover, people should deliberately use Internet connection on devices that do not require a direct Internet connection, for example, cameras or DVRs.