Mirai Variant Exploits TBK DVR Vulnerability to Expand Botnet
Key Takeaways A new Mirai variant, dubbed Nexcorium, is actively exploiting a critical command injection vulnerability in TBK DVR devices. The vulnerability, identified as CVE-2024-3721, affects TBK...
Key Takeaways
- A new Mirai variant, dubbed Nexcorium, is actively exploiting a critical command injection vulnerability in TBK DVR devices.
- The vulnerability, identified as CVE-2024-3721, affects TBK DVR-4104 and DVR-4216 models, allowing attackers to gain control and integrate them into a DDoS botnet.
- Attributed to the “Nexus Team,” the malware uses a sophisticated modular architecture, brute-forcing, and multiple persistence mechanisms to maintain control over compromised IoT devices.
- The primary goal of Nexcorium is to launch various types of Distributed Denial-of-Service (DDoS) attacks.
- Organizations must patch CVE-2024-3721 immediately, change default credentials, and implement network segmentation to protect vulnerable IoT endpoints.
A sophisticated new variant of the Mirai botnet, named Nexcorium, is aggressively targeting internet-connected digital video recorders (DVRs), according to recent findings from Fortinet’s FortiGuard Labs. Threat actors are leveraging a known command injection vulnerability to hijack TBK DVR systems, effectively conscripting them into a large-scale Distributed Denial-of-Service (DDoS) botnet.
Table Of Content
Fortinet researchers have pinpointed the campaign’s focus on TBK DVR-4104 and DVR-4216 models. The core of the attack exploits CVE-2024-3721, an OS command injection flaw. This vulnerability enables attackers to inject and execute a downloader script by manipulating specific arguments within the device’s system.
During the exploitation phase, network traffic reveals a distinctive custom HTTP header: “X-Hacked-By: Nexus Team – Exploited By Erratic.” This unique identifier has led FortiGuard Labs to attribute the campaign to a relatively unknown group, now identified as the “Nexus Team.”
Upon successful execution, the downloader script retrieves multi-architecture payloads compatible with ARM, MIPS, and x86-64 environments. A console message, “nexuscorp has taken control,” then appears, confirming the compromise.
Technical Capabilities and Infection Mechanisms
Fortinet’s in-depth analysis indicates that Nexcorium shares fundamental architectural elements with previous Mirai variants, including the use of XOR-encoded configurations and a modular design. The malware’s operational strategy relies on several key mechanisms:
Modular Architecture and Propagation
- Modular Design: Nexcorium incorporates standard Mirai features, such as a watchdog module to manage sub-processes, a scanner for network propagation, and an attacker module designed for DDoS execution.
- Legacy Exploit Integration: To broaden its infection scope, Nexcorium also integrates the older CVE-2017-17215 vulnerability, known to affect Huawei router devices.
- Aggressive Brute-Forcing: The malware initiates Telnet-based brute-force attacks against other networked hardware, utilizing a hardcoded list of common and default credentials.
- Self-Preservation: Nexcorium employs FNV-1a hashing algorithms to verify its integrity. If the binary is found to be altered or unreadable, it dynamically duplicates itself under a new filename to evade detection and maintain operation.
Persistence Mechanisms
To ensure long-term access to compromised systems, Nexcorium establishes persistence through four distinct mechanisms, avoiding reliance on a single point of failure. The botnet secures its foothold by:
- Modifying
/etc/inittabto ensure the malware process automatically restarts if terminated. - Updating
/etc/rc.localto guarantee execution during the device’s system startup sequence. - Creating a dedicated systemd service, named
persist.service, for persistent background operation. - Planting scheduled tasks via crontab for reliable execution following a device reboot.
After establishing this comprehensive setup, Fortinet observed that Nexcorium deletes its original binary from the execution path, a tactic designed to hinder forensic analysis by security professionals.
DDoS Capabilities
The primary objective of the Nexus Team’s campaign is to launch devastating DDoS attacks. Based on FortiGuard Labs’ decryption of the malware’s configuration table, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives.
The botnet is equipped with a versatile arsenal of flood techniques, indicating a broad attack scope. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors such as VSE query floods and UDP blast attacks.
The emergence of Nexcorium underscores the ongoing risk posed by the weaponization of legacy IoT devices. Security experts strongly advise organizations to take immediate action.
What You Should Do
- Patch Immediately: Apply available patches for CVE-2024-3721 on all affected TBK DVR-4104 and DVR-4216 models.
- Change Default Credentials: Replace all default manufacturer credentials with strong, unique passwords for all IoT devices.
- Implement Network Segmentation: Isolate critical infrastructure from vulnerable IoT endpoints using network segmentation to limit potential lateral movement by attackers.
- Monitor Network Traffic: Implement robust network monitoring to detect unusual activity or outbound connections from IoT devices.
- Disable Unnecessary Services: Turn off any unneeded ports or services on IoT devices to reduce the attack surface.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.