Cybersecurity researchers have uncovered a new and dangerous variant of Mirai malware, known as Nexcorium, which is actively targeting vulnerable Internet of Things (IoT) devices. According to recent findings from FortiGuard Labs, attackers are aggressively exploiting a critical flaw in TBK DVR systems to build a powerful botnet capable of executing large-scale distributed denial-of-service (DDoS) attacks.
Specifically, threat actors are leveraging CVE-2024-3721, a high-severity operating system command injection vulnerability that impacts TBK DVR-4104 and DVR-4216 models. By exploiting this flaw, attackers bypass security defenses and deploy a malicious downloader script that initiates the infection process.
During the investigation, FortiGuard Labs researchers identified a distinctive HTTP header in the attack traffic: “X-Hacked-By: Nexus Team – Exploited By Erratic.” This unique marker clearly associates the campaign with an emerging threat group called the Nexus Team.
Malware Behavior and Rapid Propagation
Once attackers deploy the initial script, it downloads and executes the Nexcorium payload. Notably, the malware demonstrates high adaptability, as it supports multiple Linux architectures, including ARM, MIPS, and x86-64. After successful execution, it silently displays a hidden message: “nexuscorp has taken control.”
Furthermore, Nexcorium behaves similarly to traditional Mirai botnets but introduces more aggressive propagation tactics. Immediately after infecting a device, it begins scanning the internet for additional vulnerable targets. In addition, it leverages a secondary exploit, CVE-2017-17215, to compromise Huawei HG532 routers.
To accelerate its spread, the malware uses a built-in dictionary of weak credentials such as “admin,” “12345,” and “guest,” enabling it to brute-force access into exposed devices via Telnet.
Moreover, Nexcorium ensures long-term persistence by implementing multiple survival techniques. For instance, it modifies system configurations, startup scripts, and systemd services to maintain control even after reboots. It also creates cron jobs that periodically relaunch the malware. After securing persistence, it deletes its original installation files to evade detection by security tools.
DDoS Capabilities and Threat Impact
Ultimately, Nexcorium aims to launch highly disruptive DDoS attacks. It communicates with a remote command-and-control (C2) server to receive instructions. FortiGuard Labs revealed that the malware supports more than ten attack methods, including UDP floods, TCP SYN floods, and SMTP floods. As a result, attackers can target a wide range of networks, applications, and web services with precision and scale.
Mitigation Strategies
To counter this growing threat, organizations should take immediate action. First, they must apply the latest firmware updates to all IoT devices, including DVRs and routers. Additionally, replacing default credentials with strong, unique passwords can significantly reduce risk.
Furthermore, disabling external Telnet access and limiting internet exposure for critical devices will help minimize attack surfaces. Lastly, organizations should continuously monitor network traffic for unusual patterns, especially automated scanning activity, to detect early signs of compromise.
Recommended Cyber Technology News:
- ATHR Powers Large-Scale AI Vishing and Phishing Attacks
- Fiverr Data Leak Exposes User Files via Google Indexing
- Microsoft Teams Paste Bug Linked to Edge Update
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
