Bitdefender researchers have found a new IoT botnet named the botnet “dark_nexus” based on a string it prints in its banner.
DDoS disguises traffic as browser-generated traffic
According to the whitepaper released by Bitdefender, Dark Nexus uses a DDoS tactic that disguises traffic as innocuous browser-generated traffic. Dark Nexus also uses Telnet credential stuffing and exploits to compromise a long list of router models and most compromised IoTs are based in Korea. The code is compiled for 12 different CPU architectures and has dynamic downloader injection. Bitdefender also noted,
“Interestingly, dark_nexus seems to have been developed by a known botnet author who has been selling DDoS services and botnet code for years. Using YouTube videos demoing some of his past work and posting offerings on various cybercriminal forums, greek. Helios seems to have experience with IoT malware skills, honing them to the point of developing the new dark_nexus botnet.”