Dark_nexus Botnet

Posted: April 8, 2020

Dark_nexus Botnet Description

The Dark_nexus Botnet is a decentralized network of Trojans that compromise Linux IoT devices. Its payload can conduct typical botnet attacks, such as DDoSing servers, but also has some sophisticated and aggressive features, such as auto-terminating other programs' processes. Users should check devices for vulnerable passwords that might lead to an attack, and reset their devices or remove Dark_nexus Botnet's Trojans through anti-malware utilities as necessary.

Another Nexus of Trojan Problems, Old and New Alike

The DDoS-hawking threat actors who are going by the alias of greek.Helios are stepping up their game in the always-evolving threat landscape. The criminals' latest creation is a thousand-victim-strong botnet, the Dark_nexus Botnet, which bolsters itself off of infected Linux devices. While the Internet-of-Things-hijacking Trojan has mostly-standard attacks, it also makes threatening and surprisingly invasive additions to relatively ancient code.

The Dark_nexus Botnet includes elements of both the Mirai Botnet (such as in its choices of ports for network communications) and Qbot (AKA Bashlite and Gafgyt) and uses some of the latter's startup routine. The Trojan conceals itself as being a component of the BusyBox software suite while it loads attacks like Distributed-Denial-of-Service floods or mining cryptocurrencies. Although these aspects of the Dark_nexus Botnet aren't strange, malware researchers see other settings that imply certain targets for operating environments.

The Dark_nexus Botnet uses a whitelist for allowing memory processes that are 'safe' to it to run, and auto-terminate other ones. Besides blocking numerous programs in this fashion, the Dark_nexus Botnet also takes advantage of a browser traffic-mimicking feature that's configurable incredibly, edits executable for removing permissions, and blocks any attempted reboots forcibly. These features are high-visibility issues that would render the infection noticeable under many circumstances immediately, but, in an IoT device without active monitoring, provides the perfect 'zombie host' for the Trojan.

Keeping Your Devices in the Light

The Dark_nexus Botnet is a threat to most Linux devices, with an active developmental update schedule and architectural forks for a dozen CPU types. It uses two separate modules for spreading itself onto vulnerable IoT systems via Telnet and brute-forcing passwords with a pre-generated credentials list. Passwords that are defaults for a particular brand, or are well-known 'standards' like 'admin123,' are in substantial danger of facilitating the Dark_nexus Botnet's recruitment strategy unintentionally. Malware experts also confirm a distinct geographical emphasis in the Dark_nexus Botnet's spread, including Asian countries like Thailand, South Korea and China. Brazil is a significant outlier in this pattern.

Disabling network connectivity as soon as possible, is a worthwhile pursuit when dealing with possible botnet infections, along with being helpful against backdoor Trojans and RATs. Owners and admins of Linux devices should remember the adaptability of some aspects of the Dark_nexus Botnet's feature set and stay open-minded about security risks not explicitly described here. The botnet's authors are well-known sellers of DDoSing services and related software and may hire the Dark_nexus Botnet out to a third party threat actor.

Anti-malware and anti-adware support for Linux is not as in-depth as for other OSes like Windows. However, Linux does have vendors providing cyber-security suites as necessary for removing the Dark_nexus Botnet's Trojans or monitoring threatening network traffic.

The Dark_nexus Botnet is a highly-competent retooling of two Trojans into an even worse one that has original features worth concern. Whether it makes money for its author or someone else who's hiring it, this network is already a thousand strong and growing stronger daily.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Dark_nexus Botnet may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Botnets Dark_nexus Botnet

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.