Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
المتحول 'Nexcorium' ديال Mirai كايستغل ثغرة CVE-2024-3721 باش يسيطّر على أجهزة TBK DVR ويخدمها فـ DDoS Botnet
Mirai Variant 'Nexcorium' Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
TL;DR
Threat actors are actively exploiting a medium-severity command injection vulnerability (CVE-2024-3721) in TBK DVR devices to deploy Nexcorium, a new Mirai botnet variant. Additionally, researchers have observed failed but automated attempts to compromise end-of-life (EoL) TP-Link routers using CVE-2023-33538. These campaigns highlight the ongoing risk of unpatched IoT devices being used to fuel large-scale Distributed Denial-of-Service (DDoS) attacks.
Overview of the Nexcorium Campaign
Security researchers from Fortinet FortiGuard Labs have identified a new campaign targeting digital video recorders (DVRs) manufactured by TBK. The primary vector involves CVE-2024-3721 (CVSS score: 6.3), a command injection vulnerability that affects the TBK DVR-4104 and DVR-4216 models.
According to Fortinet, the exploitation process follows a specific sequence:
- Initial Access: The attacker exploits the command injection flaw to deliver a downloader script.
- Payload Delivery: The script identifies the system's architecture and downloads the appropriate Nexcorium botnet payload.
- Execution: Upon successful execution, the malware displays a defiant message: "nexuscorp has taken control."
Technical Analysis of Nexcorium
Nexcorium shares a structural foundation with the original Mirai botnet but includes several modernized features designed for persistence and expansion.
- Architecture: It utilizes an XOR-encoded configuration table, a watchdog module to ensure the process remains running, and a dedicated DDoS attack module.
- Lateral Movement: The malware incorporates an exploit for CVE-2017-17215 specifically to target Huawei HG532 devices within the same network.
- Brute-Force Capabilities: It contains a hard-coded list of usernames and passwords used to attempt Telnet logins on other hosts.
- Persistence: If a Telnet login succeeds, the malware attempts to secure a shell and establishes persistence using
crontabandsystemdservices. - Evasion: To hinder forensic analysis, Nexcorium deletes its original binary once persistence is established.
- DDoS Functionality: Once connected to its command-and-control (C2) server, the botnet can launch attacks across UDP, TCP, and SMTP protocols.
Targeting End-of-Life TP-Link Routers
In a related finding, Palo Alto Networks Unit 42 reported automated scanning activity targeting CVE-2023-33538 (CVSS score: 8.8). This critical command injection vulnerability affects several end-of-life TP-Link Wi-Fi routers, including:
- TL-WR940N (v2, v4)
- TL-WR740N (v1, v2)
- TL-WR841N (v8, v10)
While researchers noted that current in-the-wild exploitation attempts for this specific flaw have been "flawed" and unsuccessful due to poor implementation by the attackers, the risk remains high. These attacks aim to deploy a Mirai-like variant referred to as "Condi," which features self-updating capabilities and can act as a web server to infect other connecting devices.
Notably, CVE-2023-33538 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog in June 2025.
The Broader IoT Threat Landscape
The resurgence of Mirai variants like Nexcorium and Condi underscores a persistent weakness in the IoT ecosystem. Security researcher Vincent Li noted that these devices remain "prime targets" due to widespread use, a lack of consistent patching, and weak default security settings.
This is not the first instance of CVE-2024-3721 being exploited; over the past year, it has been leveraged by multiple botnets, including a relatively new threat known as RondoDox.
Conclusion and Recommendations
The evolution of Nexcorium demonstrates that threat actors are increasingly adept at combining old exploits with modern persistence techniques. Because many of the targeted devices—particularly the TP-Link models—are end-of-life and no longer receiving security updates, the only viable defense is often hardware replacement.
Security Recommendations:
- Replace EoL Equipment: Users of the affected TP-Link models should upgrade to newer, supported hardware.
- Update Passwords: Transition away from default credentials, as brute-force attacks remain a primary spreading mechanism for IoT malware.
- Network Segmentation: Isolate IoT devices (like DVRs) from critical network segments to prevent lateral movement.
Source: The Hacker News - Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
