Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity

Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity

The massive presence of unprotected IoT devices is providing many opportunities for malicious threat actors. Most of these devices are plug-and-play and do not require any kind of configuration, making security optional.

In fact, manufacturers ship the devices with default passwords that are publicly known, providing easy access to the configuration panel for new users. If such passwords are not replaced with new, strong ones, they provide the first entry vector used by attackers.

Attackers who compromise a high number of IoT devices usually create botnets to trigger DDoS (distributed denial-of-service) attacks with the goal of disabling systems for hacktivism or financial gain.

Our team of security researchers at Nozomi Networks Labs analyzed several variants of the IoT botnet dubbed Dark Nexus. It is a new IoT botnet that has come to prominence in the last few months and its capabilities have been thoroughly discussed by Bitdefender researchers. [1]

We analyzed its network behavior, which we describe in this post, and provide a detection signature to help protect IoT, OT and IT networks.

IoT Botnet Dark Nexus: Three Categories of Network Activity

The Dark Nexus bot leaves a hefty network trail that can be broadly divided into three categories:

  • C&C (command and control) communication
  • Self-propagation
  • DDoS attacks

Though self-propagation and DDoS attacks could be a single category, their final goals are very different, so we prefer to analyze them separately. To properly commandeer the bot in our lab, we wrote a replacement for the C&C server that allowed us to trigger network activity in a controlled manner.

While the bot carefully analyzes the system it is executing in, and kills suspicious processes that might hinder its activities, the most delicate section remains the network parsing code. This is a critical feature for a botnet, since a bug in this area might lead to catastrophic consequences for the threat actor. The botnet itself could become vulnerable to DDos attacks or be completely taken over by a different hacking group.

We analyzed each of the three categories of Dark Nexus’ activity.

C&C Communication Aims to Download Latest Version

Once a device is infected, it performs a GET request to retrieve its IP:

New vector

In the example shown above, the 6.6 version of the malicious binary was executed with argv[1] set to “new_vector”, running on an ARM7 CPU. A question mark character is sent if no arguments are provided. The binary randomly chose port 52750 to run its reverse proxy and port 50999 to run a SOCKS proxy.

The following Snort rule can be used by everyone in the security community to detect such traffic:

<div style="padding: 40px; background-color: #efefef; width: 100%; overflow-wrap: anywhere; font-family: Courier New;" class="code-snippet”>

Furthermore, the binary tries to download new versions of itself for all available architectures to ensure execution of its latest code.

First phase of Dark Nexus
In the first phase of Dark Nexus, the bot communicates with a C&C server and attempts to download and run its latest version.  Nozomi Networks Labs has released a free Snort Rule to detect this network activity.

Self-propagation Using Telnet, Port 23 and Random IPs

Telnet brute-forcing is a typical method of propagation among IoT botnets. Dark Nexus uses the get_random_ip function to generate random IPs, making sure to avoid certain IP ranges (invalid, localhost, certain companies). The function is very similar to the get_random_ip function found in leaked Mirai source code. [2]

A SYN packet is then sent to the random IP with a destination port of 23. If the telnet service happens to be running and is reachable, a list of stored credentials is used to attempt to login successfully. Most of the stored credentials have been taken from public sources, such as the leaked Mirai source code, but there’s evidence that the author is adding new credentials from one version to another.

From a blue team perspective, the telnet scan capability, as simple as it is, underlines the need to avoid full internet exposure for devices that don’t strictly require it.

Dark Nexus self-propagates
Dark Nexus self-propagates by sending Telnet SYN scan traffic to port 23 of random IP addresses.
gen_random_ip from dark_nexus decompiled
gen_random_ip from dark_nexus decompiled is shown on the left and gen_random_ip from leaked Mirai source code on the right.

DDoS Attacks Use Multiple Functions and Generate Network Traffic

The versions of the malware we examined contained the following attack functions:

  • attack_udp_simple
  • attack_tcp_raw
  • attack_http
  • browser_http_req
  • attack_udpmop
  • attack_udp_plain
  • attack_tcp
  • attack_ovh
Example of decompiled Dark Nexus start_attack code.
Example of decompiled Dark Nexus start_attack code.

Analysis of the parse_packet function, which is responsible for parsing attack commands received from C&C, resulted in the following message sent from our emulated C&C to the infected host to trigger attack_udp_simple.

Example of traffic produced by the attack_udp_simple function.
Example of traffic produced by the attack_udp_simple function.

For the attack_http method, we had to change the attack_id in the C&C message. As shown below, the HTTP headers were randomized for every request.

Example of Dark Nexus attack_http network traffic
Example of Dark Nexus attack_http network traffic.

Securing IoT Devices Requires Safe Visibility

IoT devices have specific peculiarities, such as limited processing power, that make them difficult to monitor. Resource-intensive agents, for example, can cripple their functionality. For this reason, once infected with a bot like Dark Nexus, an IoT device might require a firmware update that restores it to a clean slate in order to function properly.

To secure and properly manage your network, one of the first requirements is to have visibility of all your IoT devices.

There are technologies that automate asset identification in a way that ensures the availability of sensitive IoT assets. Our own product Guardian, for example, uses passive network traffic analysis to identify IoT devices and provide detailed information about each one. It works with our Threat Intelligence service to protect IoT and OT networks from threats such as Dark Nexus.


  1. Bitdefender.com: New dark_nexus IoT Botnet Puts Others to Shame
  2. GitHub.com: jgamblin/Mirai-Source-Code