The IoT Attack Landscape

In a recent blog post, I wrote about the fertile ground of insecure IoT devices, and their use by adversaries such as cybercriminals and defense organizations such as Russia’s FSB. One of the motivations of IoT attacks is to use their internet connection in order to run botnets and DDoS (distributed denial-of-service) attacks.

In the famous Mirai malware campaigns, IoT devices have been compromised and were used to perform a massive DDoS attack at a global scale, one that caused major internet disruptions.

Since it has been published as open source software, malware developers have been able to learn from it and build upon its success. Like a biological virus, Mirai has new “strains” - either direct descendants (using a similar codebase) or just attackers copying the same TTPs to emulate Mirai’s success.

dark_nexus” is a new Mirai descendant IoT botnet that has been discovered by Bitdefender researchers. It emulates many of the tactics used by Mirai.

In this blog post, I’ll discuss the dynamics of the IoT Device takeover market and what it means for us, as the defenders of IoT networks.


The IoT Device Takeover Market

Adversaries are competing amongst themselves on the control of IoT Devices, by optimizing a set of parameters that will yield the highest return on investment for their time and efforts.


Vulnerability Exploitation

Attackers are always on the lookout for new vulnerabilities. Common vulnerabilities are default/weak passwords and unpatched firmware. Attackers use different ways to find and exploit vulnerabilities, including independent research and leveraging public CVEs and exploits.

The goal is to reach as many IoT devices as possible, as each IoT device can be monetized or be used for other purposes.

The dark_nexus malware has been observed exploiting RCE (Remote Code Execution), default passwords and command injection.


Cross-Platform Support

IoT devices have a very diverse set of operating systems and CPUs, and they might require special payloads in order for the malware to actually run on them.

It could be that a device is vulnerable, but the attacker can’t run the malware on it, since the CPU isn’t supported. This makes the cross-platform requirement very important in the cybercrime organization’s “product management” department.

The dark_nexus malware has been compiled for 12 different CPU architectures in routers (including Dlink, ASUS, Dasan and Zhone), video recorders, and thermal cameras. We also know that the Mirai malware has been compiled to be able to run on multiple platforms.

Just like normal software vendors, adversaries have to prioritize their R&D and get feedback from the “field” (failed infection attempts).



IoT devices can be upgraded, rebooted or undergo other changes that will cause the malware to be removed or deactivated. Since attackers are putting a lot of efforts into gaining control over IoT devices, this is obviously an undesirable scenario.

Therefore, dark_nexus comes with persistency features such as hiding as the popular “BusyBox” utility, disabling the option to reboot or power off the IoT device, and then registers as a service that should be brought up after reboot.



When adversaries have done the legwork and got themselves control over an IoT device, they have a valuable asset in their hands that they want to protect from other adversaries.

Why would they want to share their precious resource with anyone else?

Interestingly enough, the need for supremacy aligns some of the adversary’s interests with the device owner’s interests. We’ve seen adversaries patch devices to prevent them from being attacked by other adversaries, and even fix IT issues, so that the device can continue its normal operation without being replaced.

dark_nexus for example, comes with a process monitor that kills unidentified, possibly invading processes, based on a calculated risk score. This protects the installed base from invasion by competing malware operators.


Monetization Features

When the IoT asset is secure in the hands of the attackers, they start using it for the purpose they intended for it. (There are multiple purposes that adversaries have for IoT devices.)

The dark_nexus botnet has been intended for the following use:

  • To attack other devices, further growing the botnet
  • To sell DDoS Services
  • To sell the internet connection for cyber crime purposes (fraud, etc.)
  • To sell the botnet for any other creative use


What This Means for IoT Devices

IoT devices are becoming more and more popular. The threats to IoT devices keep evolving. The competition between malware developers will make them improve themselves, in order to achieve the following goals:

  1. Operate a large, stable, hacked IoT device botnet.
  2. Protect the botnet from upgrades and takeovers by other hacking groups.
  3. Expand the botnet by exploiting new vulnerabilities and developing the malware for a wide range of operating systems and CPUs.
  4. Advance in monetization - Attackers will find ways to generate more revenue off of the botnet they already have. This means they’ll start selling new, innovative services, use the IoT devices as attack vectors to other networks, steal information from the IoT device and other types of cyber crime.


If you’re worried about the security of your enterprise IoT device fleet, SCADAfence IoT Security is one of the products you might want to evaluate. SCADAfence IoT Security is the only agentless, vendor-agnostic IoT security management platform for enterprises.