Meta Description
The Nexcorium Mirai variant exploits TBK DVR vulnerabilities to hijack IoT devices and launch DDoS attacks. This technical analysis explains how the attack works and what organizations must do now.
Introduction
IoT devices continue to be one of the weakest links in modern cybersecurity. From DVR systems to routers, these devices are often deployed with default credentials, outdated firmware, and minimal monitoring, making them prime targets for botnet operators.
A newly observed campaign involving the Nexcorium Mirai variant highlights how attackers are evolving traditional botnets by combining known vulnerabilities, automated scanning, and multi-architecture malware delivery.
Rather than relying on zero-days, this campaign demonstrates a persistent truth in cybersecurity:
Old vulnerabilities + poor device hygiene = large-scale compromise
What Happened
Security researchers identified an active campaign where threat actors are exploiting TBK DVR devices using a known vulnerability tracked as:
- CVE-2024-3721 (command injection flaw)
This vulnerability affects TBK DVR-4104 and DVR-4216 devices and allows attackers to execute arbitrary commands remotely.
Once exploited, attackers deploy a Mirai-based malware variant named Nexcorium, which takes control of the device and integrates it into a botnet.
The campaign has also been observed targeting:
- End-of-life TP-Link routers
- Other vulnerable IoT devices
expanding the overall botnet footprint.
Why This Attack Is Different
While Mirai-based attacks are not new, Nexcorium introduces several improvements.
This campaign:
- Targets specific IoT vulnerabilities instead of generic scanning alone
- Supports multiple CPU architectures (ARM, MIPS, x86)
- Combines exploit-based infection with brute-force propagation
This hybrid approach allows attackers to:
- Scale infections faster
- Maintain persistence across diverse devices
- Increase DDoS attack power
How the Attack Chain Works
The Nexcorium campaign follows a multi-stage automated infection process.
Initial Exploitation
Attackers exploit CVE-2024-3721 via crafted HTTP requests to the DVR web interface, enabling remote command execution.
Downloader Script Execution
A script is deployed to the device, which downloads the appropriate malware binary based on system architecture.
Payload Deployment
The Nexcorium malware is executed and displays a message indicating system takeover.
Persistence Mechanisms
The malware ensures long-term access by:
- Creating cron jobs
- Modifying startup scripts
- Installing system services
Botnet Integration
The infected device connects to a command-and-control (C2) server to receive instructions.
Understanding Nexcorium Malware
Nexcorium is a Mirai-based botnet variant with enhanced capabilities.
Core components include:
- Scanner module for identifying new targets
- Brute-force module using hardcoded credentials
- DDoS attack module supporting multiple attack types
- Watchdog module to maintain persistence
The malware also includes exploits for older vulnerabilities, such as:
- CVE-2017-17215 targeting Huawei routers
This allows it to spread beyond its initial infection vector.
Common Techniques Used in the Campaign
The Nexcorium campaign combines several well-known but effective techniques.
Command Injection Exploitation
Using CVE-2024-3721 to gain remote access.
Default Credential Abuse
Leveraging weak or unchanged passwords to expand infections.
Automated Scanning and Propagation
Continuously scanning the internet for vulnerable devices.
Multi-Architecture Malware Delivery
Adapting payloads to different device types.
Persistence via System Modification
Ensuring survival across reboots.
These techniques make the botnet highly scalable and resilient.
Why This Campaign Is Dangerous
This campaign is particularly dangerous due to its scale and automation.
Key risks include:
- Rapid global spread across IoT devices
- Minimal user interaction required
- Difficulty detecting compromised devices
- High DDoS attack capability
Once infected, devices can be used to launch:
- UDP floods
- TCP SYN floods
- SMTP-based attacks
Why IoT Devices Are Prime Targets
IoT devices remain highly vulnerable due to:
- Lack of regular patching
- Default or weak credentials
- Exposure to the internet
- Limited security monitoring
These weaknesses make them ideal for botnet recruitment at scale.
Potential Impact on Organizations
If compromised, IoT devices can be used for:
- Large-scale DDoS attacks
- Network disruption
- Unauthorized network access
- Lateral movement into internal systems
Even if the device itself is low-value, its role in a botnet can have global impact.
What Organisations Should Do Now
Organizations must take immediate steps to secure IoT environments.
Recommended actions include:
- Patch or update firmware on all IoT devices
- Replace unsupported or end-of-life hardware
- Disable unnecessary internet exposure
- Change all default credentials
- Segment IoT devices from critical networks
Prevention is critical due to the automated nature of the attack.
Detection and Monitoring Strategies
Security teams should monitor for:
- Unusual outbound traffic spikes
- Repeated scanning behavior
- Connections to known C2 infrastructure
- Unexpected device reboots or configuration changes
Network-based detection is essential for identifying compromised IoT devices.
The Role of Penetration Testing
Penetration testing can help identify vulnerable IoT devices before attackers do.
Testing should include:
- IoT device discovery and enumeration
- Credential testing (default and weak passwords)
- Vulnerability scanning for known exploits
- Network segmentation validation
These assessments help reduce exposure to botnet recruitment.
Key Takeaway
The Nexcorium Mirai variant demonstrates how attackers continue to exploit known IoT vulnerabilities to build powerful botnets. By combining command injection, credential abuse, and automated propagation, threat actors can compromise thousands of devices with minimal effort.
Organizations must prioritize IoT security, patch management, and network segmentation to defend against this persistent and evolving threat.
