Nexcorium: Aggressive Mirai Botnet Exploits Critical IoT Vulnerability

A new Mirai malware variant dubbed Nexcorium is actively compromising unpatched Internet of Things (IoT) devices, with attackers exploiting a severe vulnerability in TBK DVR systems to construct a massive botnet capable of launching devastating distributed denial-of-service (DDoS) attacks.

According to recent FortiGuard Labs research, the campaign primarily targets CVE-2024-3721 – a high-severity operating system command injection flaw affecting TBK DVR-4104 and DVR-4216 models. Hackers leverage this weakness to bypass security mechanisms and deploy a malicious downloader script.

Exploit traffic via CVE-2024-3721 (Source: Fortinet)
Exploit traffic via CVE-2024-3721 (Source: Fortinet)

Analysis of attack traffic revealed a distinctive HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic,” which serves as a fingerprint linking activities to the emerging “Nexus Team” threat actor.

Malware Behavior and Rapid Spread

After script deployment, Nexcorium fetches its payload. The malware exhibits remarkable adaptability, targeting multiple Linux device architectures including ARM, MIPS, and x86-64. Upon successful execution, it displays a concealed system message: “nexuscorp has taken control.”

While operating similarly to traditional Mirai botnets, Nexcorium employs aggressive propagation tactics post-infection. It immediately scans for vulnerable targets, deploying a secondary exploit targeting CVE-2017-17215 in Huawei HG532 routers. Additionally, it uses a hard-coded dictionary of weak credentials like “admin,” “12345,” and “guest” to brute-force entry via Telnet connections.

XOR-Encoded CVE-2017-17215 exploit (Source: Fortinet)
XOR-Encoded CVE-2017-17215 exploit (Source: Fortinet)

To ensure persistence, Nexcorium employs a multi-layered approach:

  • Init Configuration: Modifies /etc/inittab to restart malicious processes upon termination
  • Startup Scripts: Alters local startup files for execution at boot
  • Systemd Services: Creates hidden background services running automatically
  • Cron Jobs: Schedules tasks to periodically relaunch malware

After securing persistence, Nexcorium deletes installation files to evade detection.

Parsing architecture information from victim host (Source: Fortinet)
Parsing architecture information from victim host (Source: Fortinet)

The botnet ultimately coordinates DDoS attacks via command-and-control servers, supporting over ten attack methods including UDP/TCP SYN floods and SMTP floods to overwhelm diverse targets.

Mitigation Strategies

  • Apply immediate firmware patches for affected TBK DVRs, Huawei routers, and IoT hardware
  • Replace all default credentials with complex, unique passwords
  • Disable external Telnet access and restrict internet exposure of critical devices
  • Monitor for abnormal outbound connections and automated scanning behavior

Related Articles

Back to top button