A new botnet has come to the fore, which seems to be even more threatening than that Mirai and Qbot. Its security researchers Bitdefender revealed that the new botnet, called Dark_nexus, is distinguished by certain features and properties that make it stand out from other modern malware botnets.
But what are botnets?
The term "botnet" comes from the words robot and network. Computer networks are referred to as botnets, and production (Internet of Things) products and mobile devices that have been infected by malware hackers. Botnets can be used for DDoS attacks, spam distribution emails, the spread of viruses, data theft and other malicious activities.
Dark_nexus, so named because of the strings in its banner, has some things in common with Mirai and Qbot, but most of its features are original. For example, the way some of its modules were developed makes it much more powerful, according to Bitdefender. Dark_nexus is a botnet that has been active for three months, and three versions have been released so far. In addition, honeypots have revealed that there are at least 1.372 bots connected to the botnet, most of which are located in China, the Republic of Korea, Thailand and Brazil. To hack a device, botnet uses data linked to credentials and exploits any errors. Two modules are also used, one modern and one asynchronous, with the aim of using the protocol telnet and predefined lists of credentials to gain access to the targeted device. In addition, malware attempts to hide its actions renamed to / bin / busybox. Botnet has a payload that can be adapted to 12 different architectures CPU and is transferred according to the settings made by the victim on the device. It is also connected to two servers commands and control (C2) and with a report server, which receives reports on vulnerable services that contain both IP and port numbers.
The attacks carried out by this botnet are generally commonplace, with one exception - the browser_http_req command. Bitdefender points out that this element is "extremely complex and configurable" and "tries to disguise the movement, presenting it as a harmless movement that could have been created by a browser". Another interesting feature is the attempt to prevent a device from restarting. The cron service is compromised and interrupted, and the proper functions for restarting a device cannot be performed. It is worth noting that the botnet developer is presumed to be Greek. Finally, the researchers found socks5 proxies in some variations of malware, a feature found in botnets such as Mirai, TheMoon and Gwmndy, while still tracking botnet evolution.