{
	"id": "f8ad95d0-3b4c-4127-9bfa-a927eb144f48",
	"created_at": "2026-04-10T03:21:00.724746Z",
	"updated_at": "2026-04-10T03:22:19.06675Z",
	"deleted_at": null,
	"sha1_hash": "e2add0d2151782d34a3c1c89504739dcfb50a2b1",
	"title": "Dark Nexus: the old, the new and the ugly — Stratosphere Laboratory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 486513,
	"plain_text": "Dark Nexus: the old, the new and the ugly — Stratosphere\r\nLaboratory\r\nPublished: 2020-06-08 · Archived: 2026-04-10 02:25:40 UTC\r\nIn this blog post we will focus on an ARM7 Dark Nexus sample [1] and version v5 of this malware to highlight its\r\nfunctionality, both old and new, and to explore more invasive (or ugly) and innovative techniques. This sample was\r\nstatically linked but not stripped making it easy to reverse and analyze.\r\nDark Nexus is an IoT botnet found by Bitdefender at the end of 2019 and beginning of 2020 [2]. According to their\r\nfindings, this botnet had approximately 1,300 bots and was very prominent in Asia. Along with a white paper the\r\ncompany also released a list of 327 sample hashes related to this bot [3]. From this list, 231 sample files were\r\nactually found on Virus Total, showing these binary architectures:\r\nPart of its code was based in Mirai. By comparing this unstripped sample to the codebase of Mirai we can see what\r\nwas reused:\r\nstatic ipv4_t get_random_ip(void)\r\nvoid attack_udp_plain(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option\r\n*opts)\r\nBOOL killer_kill_by_port(port_t port)\r\nuint16_t checksum_generic(uint16_t *addr, uint32_t count)\r\nuint16_t checksum_tcpudp(struct iphdr *iph, void *buff, uint16_t data_len, int len)\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 1 of 9\n\nvoid resolv_entries_free(struct resolv_entries *entries)\r\nstruct resolv_entries *resolv_lookup(char *domain)\r\nThese functions were scrapped verbatim from the original Mirai source code and the matches have been found by\r\ncomparing the function symbols from both the source code and the binary sample. Other functions (eg. rand_port,\r\nretrieve_c2_server or attack_tcp_raw) are based on original Mirai functions but modified to fit the necessities of\r\nthe author.\r\nThe downside of reusing Mirai’s codebase is that some of the favorable aspects of its code are often ignored. That’s\r\nthe case of the encrypted data table. This table is the one in charge of converting encrypted or obfuscated strings and\r\ndata to its normal state, be it integers or strings. Dark Nexus on the other hand shows passwords, usernames,\r\ncommand-and-control endpoints, etc. are in plain-text or deobfuscated. For example, the function\r\nretrieve_c2_server (Mirai’s retireve_cnc_addr) was adapted to resolve more than one C\u0026C address. These\r\naddresses are in plain-text in the main function of the bot (Figure 1).\r\nFigure 1. Hardcoded C\u0026C list populated to later be used by the bot.\r\nAnother old method still used by this malware and many others is the Telnet brute forcing as a method of growing\r\nits botnet. Insecure Telnet services are nothing new among IoT malware and attacking them keeps being effective\r\nnowadays as devices with weak credentials are accessible from the internet. Dark Nexus does this by calling\r\nspreader_init to populate its username/password structures and  then init_syn_bruter. The latest will start the\r\nattack against telnet services across the Internet and try to infect as many devices as possible under these CPU\r\narchitectures:\r\n1. arm\r\n2. rce\r\n3. sh4\r\n4. arc\r\n5. ppc\r\n6. mk68\r\n7. spc\r\n8. x86\r\n9. i586\r\n10. mpsl / mips\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 2 of 9\n\nFigure 2. Hardcoded domain name and IP address in init_syn_bruter function.\r\nFigure 3. The malware spreads on multiple architectures to have a wider range of infection.\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 3 of 9\n\nThe New\r\nDark Nexus presents new techniques as well. Here we are going to mention two that we consider interesting to show\r\nand describe: Reverse Proxy and Killer functions. These functions were already seen on other malware but have a\r\ntwist that’s worth mentioning.\r\nReverse Proxy\r\nOne technique employed by this malware is reverse proxying requests to always be able to deliver malware to new\r\ninfections. It does this by first identifying who executed the malware, saving the IP and port addresses from the\r\ncommand line used during the execution (Figure 4). After this, the function init_reverse_proxy. This function is\r\none improvement to common IoT malware, giving autonomy and self reliance to its bots. It starts by forking and\r\nconnecting to its C\u0026C servers to download the multiple binaries that belong to each supported architecture. If the\r\nmalware wasn’t able to connect to any C\u0026C server it will reach out to the IP and port registered during execution\r\n(Figure 4) to perform that action. After arming itself with multiple bot variants, it will listen to a random port for\r\nGET requests to serve its binaries, acting as a pseudo-HTTP server (Figure 5).\r\nFigure 4. IP and port reported by the bot that infected and ran the malware sample. This will later be\r\nused as a replacement for it’s C\u0026Cs if needed.\r\nFigure 5. User-Agent used by the malware is: hoho_fastflux/v5. The string “hoho” is commonly used\r\nthroughout this malware.\r\nKiller\r\nThe idea of a killer comes straight from its Mirai codebase. The purpose of the killer is to block ports utilized by\r\nservices like SSH and Telnet to avoid further invasion by other malware or clients. Also, it kills any previous\r\ninvasion in order to do a full takeover of the device.\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 4 of 9\n\nThe killer process is initialized by Dark Nexus by the killer function by forking into another process while saving its\r\nown process ID (PID) ina variable called lockdown_pid, which will be discussed later. After that it will create an\r\nstructure called suspect_list that will keep track of the processes being analyzed and judged by the malware (Figure\r\n6). This structure is based on the PID of the analyzed process in the device and a “weight” which is an attribute that\r\nwill define if the process is a threat to the bot and needs to be terminated. The The function killer_run is then called\r\nand it will read all the process IDs from the /proc directory and weight the threat of the current process (PID) being\r\nanalyzed by:\r\n1) Reading /proc/PID/exec and check if the executable of the process exists on the filesystem. If it was deleted and\r\nappears as \"(deleted)\" then add +100 of weight\r\n2) Check /proc/PID/exec real path by using the readlink function. If binary is running in one of these paths to kill\r\nthen add +90 of weight:\r\n/tmp/\r\n/var/\r\n/dev//var/tmp/\r\n/var/run/\r\n/\r\nThe paths to kill list is hardcoded in the binary.\r\n3) Open the directory /proc/PID/fd to read list of open files. If the list is greater than 250 then add +10 weight.\r\n4) Open /proc/PID/cmdline to read the command line of the process. If starts with \"./\" it will add +10 weight.\r\n5) Open /proc/PID/status and check if it has the string \"Groups:\\t0\". It will add +50 weight if it does.\r\n6) Open the process’ binary in /proc/PID/exe and read its strings. If \".dynamic\" was not found meaning that is a\r\npossible static binary then add +50 weight. If the string \"UPX\" is found then add +90 weight, as it is possible that\r\nthe binary was also packed.\r\nAt the end of this process the malware will check the suspects list and, if the weight is above 99 points it will kill the\r\nprocess as it imposes a threat to the bot (Figure 7).\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 5 of 9\n\nFigure 6. Function (and process) killer is initialized along with the structure in charge of keeping\r\ntrack of the processes being analyzed.\r\nFigure 7. Bot recursively checks all the processes’ weight and calls kill() to terminate whoever it\r\nfinds threatening for its functioning.\r\nThe Ugly\r\nThe final purpose of an IoT malware is the complete take over of the device and to persist without intervention. Or\r\ndigital intervention at least, as you can always just pull the plug in most of the cases. Dark Nexus has a set of\r\nfunctions that ensure that no intervention is made in order to stop the bot from doing its botmaster’s work.\r\nPersistence\r\nIn case of the persistence, Dark Nexus chooses to disable all ways for an intruder or legitimate user to reestablish the\r\ndevice normal behaviour by limiting execution of system commands (Figure 8). It does this by changing the file\r\npermissions to 0, thus removing the read and execute permissions to avoid them being utilized (Figure 9).\r\nThe bot will also flush the iptables (firewall) rules and stop the “crond” daemon, the one in charge of execute\r\nscheduled commands on the system. To ensure its correct functioning when scanning for victims, and also reading\r\nprocess IDs during the killer function, the bot will set the limit of open file descriptors to 0x1000 (or 4096 in\r\ndecimal numbers).\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 6 of 9\n\nFigure 8. Methods used by the bot to impede the system from being restored.\r\nFigure 9. The bot removes all permissions on specific executables so no restoration of the device is\r\npossible.\r\nOne interesting side note on this section is that, in the case of BusyBox [4], all those binaries are symbolic links to\r\n/bin/busybox. Meaning that if the bot changes the permissions of any of those binaries it will be ultimately\r\nchanging the permissions of the latter. If that happens the whole system renders useless.\r\nLockdown\r\nDark Nexus performs a lockdown of the devices and ensures that it stays that way during its execution. Lockdown is\r\nperformed after the persistence procedure is in place to add an extra layer of control over the device. This lockdown\r\nphase starts with the init_lockdown function that counts the amount of PIDs currently existing in the device and\r\nthen saves those PIDs into a list called lockdown_pidlist. After the bot starts its normal execution and every 2\r\nseconds the function ensure_lockdown is called.\r\nThe ensure_lockdown function is the one in charge of killing any new process being created after the bot was\r\nexecuted. What it will do is to open the directory /proc and read the existent PIDs, and kill those PIDs that match\r\nthis criteria (Figure 10):\r\n1. Is not one of the attack processes.\r\n2. Is not the process ID of one of these processes: bot, lockdown, scanner and reverse proxy.\r\n3. PID is greater than 799.\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 7 of 9\n\nFigure 10. Main part of the lockdown process. This ensures no intruder or legitimate process is started\r\nas it gets killed if is not present in the lockdown PID list.\r\nConclusion\r\nIn this blog post we were able to take a sneak peek of what is Dark Nexus capable of and its details. We explored\r\nthis by presenting it via three characteristics we named the old, the new and the ugly. In The Old we showed how\r\nthis malware imported a great deal of ideas and code from a well-known IoT malware: Mirai. This is done regularly\r\nas Mirai source code was made public since 2016 and its well structured, and easy to modify, code is the perfect fit\r\nfor any new malware. A good side of this is that it makes the malware easy to identify as well as to analyze.\r\nOn the other hand, in The New we presented new ideas that were adapted to work with this “old” code. Ideas like the\r\nreverse proxy that enables the bot to be more independent from it’s C\u0026C or distribution endpoints. Or the killer\r\nfunction which evolved from it’s more primitive variant seen in Mirai to a more intuitive one, analyzing and judging\r\nthe processes being executed in the device by its characteristics.\r\nFinally, we present two functions that are of a questionable nature in The Ugly. These procedures, like persistence\r\nand lockdown, turn the device being infected into a “brick”, inaccessible and unrecoverable from the outside world.\r\nAnd a device that cannot be accessed is a device that cannot be fixed.\r\nAll these characteristics show that IoT malware is improving while retaining its roots, and Dark Nexus is the clear\r\nsign of this.\r\nReferences\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 8 of 9\n\n[1] VirusTotal (2020, April 09). bc0457d7935e29aecb338756bde213cd18aa1b617b00d30c4deedd5eef9ba877.\r\nhttps://www.virustotal.com/gui/file/bc0457d7935e29aecb338756bde213cd18aa1b617b00d30c4deedd5eef9ba877/details\r\n[2] Liviu Arsene, Bitdefender (2020, April 08). New dark_nexus IoT Botnet Puts Others to Shame.\r\nhttps://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/\r\n[3] Bitdefender Investigations and Forensics Unit, Bitdefender (2020). New dark_nexus IoT Botnet Puts Others to\r\nShame (Whitepaper). https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf\r\n[4] Denys Vlasenko. BusyBox: The Swiss Army Knife of Embedded Linux. https://busybox.net/\r\n[5] jgamblin, GitHub (2020, October 23). Mirai-Source-Code. https://github.com/jgamblin/Mirai-Source-Code\r\nSource: https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nhttps://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly\r\nPage 9 of 9\n\n https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly   \nFigure 2. Hardcoded domain name and IP address in init_syn_bruter function.\nFigure 3. The malware spreads on multiple architectures to have a wider range of infection.\n  Page 3 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly"
	],
	"report_names": [
		"dark-nexus-the-old-the-new-and-the-ugly"
	],
	"threat_actors": [],
	"ts_created_at": 1775791260,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2add0d2151782d34a3c1c89504739dcfb50a2b1.pdf",
		"text": "https://archive.orkl.eu/e2add0d2151782d34a3c1c89504739dcfb50a2b1.txt",
		"img": "https://archive.orkl.eu/e2add0d2151782d34a3c1c89504739dcfb50a2b1.jpg"
	}
}