Dark_nexus Botnet

The Dark_nexus Botnet is a decentralized network of Trojans that compromise Linux IoT devices. Its payload can conduct typical botnet attacks, such as DDoSing servers, but also has some sophisticated and aggressive features, such as auto-terminating other programs' processes. Users should check devices for vulnerable passwords that might lead to an attack, and reset their devices or remove Dark_nexus Botnet's Trojans through anti-malware utilities as necessary.

Another Nexus of Trojan Problems, Old and New Alike

The DDoS-hawking threat actors who are going by the alias of greek.Helios are stepping up their game in the always-evolving threat landscape. The criminals' latest creation is a thousand-victim-strong botnet, the Dark_nexus Botnet, which bolsters itself off of infected Linux devices. While the Internet-of-Things-hijacking Trojan has mostly-standard attacks, it also makes threatening and surprisingly invasive additions to relatively ancient code.

The Dark_nexus Botnet includes elements of both the Mirai Botnet (such as in its choices of ports for network communications) and Qbot (AKA Bashlite and Gafgyt) and uses some of the latter's startup routine. The Trojan conceals itself as being a component of the BusyBox software suite while it loads attacks like Distributed-Denial-of-Service floods or mining cryptocurrencies. Although these aspects of the Dark_nexus Botnet aren't strange, malware researchers see other settings that imply certain targets for operating environments.

The Dark_nexus Botnet uses a whitelist for allowing memory processes that are 'safe' to it to run, and auto-terminate other ones. Besides blocking numerous programs in this fashion, the Dark_nexus Botnet also takes advantage of a browser traffic-mimicking feature that's configurable incredibly, edits executable for removing permissions, and blocks any attempted reboots forcibly. These features are high-visibility issues that would render the infection noticeable under many circumstances immediately, but, in an IoT device without active monitoring, provides the perfect 'zombie host' for the Trojan.

Keeping Your Devices in the Light

The Dark_nexus Botnet is a threat to most Linux devices, with an active developmental update schedule and architectural forks for a dozen CPU types. It uses two separate modules for spreading itself onto vulnerable IoT systems via Telnet and brute-forcing passwords with a pre-generated credentials list. Passwords that are defaults for a particular brand, or are well-known 'standards' like 'admin123,' are in substantial danger of facilitating the Dark_nexus Botnet's recruitment strategy unintentionally. Malware experts also confirm a distinct geographical emphasis in the Dark_nexus Botnet's spread, including Asian countries like Thailand, South Korea and China. Brazil is a significant outlier in this pattern.

Disabling network connectivity as soon as possible, is a worthwhile pursuit when dealing with possible botnet infections, along with being helpful against backdoor Trojans and RATs. Owners and admins of Linux devices should remember the adaptability of some aspects of the Dark_nexus Botnet's feature set and stay open-minded about security risks not explicitly described here. The botnet's authors are well-known sellers of DDoSing services and related software and may hire the Dark_nexus Botnet out to a third party threat actor.

Anti-malware and anti-adware support for Linux is not as in-depth as for other OSes like Windows. However, Linux does have vendors providing cyber-security suites as necessary for removing the Dark_nexus Botnet's Trojans or monitoring threatening network traffic.

The Dark_nexus Botnet is a highly-competent retooling of two Trojans into an even worse one that has original features worth concern. Whether it makes money for its author or someone else who's hiring it, this network is already a thousand strong and growing stronger daily.