Nexcorium Botnet Exploiting Critical TBK DVR Vulnerabilities

The IoT landscape is once again facing a significant surge in automated exploitation.

A new, highly capable Mirai-based botnet, dubbed Nexcorium, has emerged, actively targeting TBK Digital Video Recorder (DVR) devices. This campaign isn’t just spreading randomly; it is surgical, leveraging a critical OS command injection vulnerability to turn consumer hardware into high-powered nodes for distributed denial-of-service (DDoS) attacks.

At the heart of this campaign is CVE-2024-3721. By manipulating the mdb and mdc parameters within the device’s web interface, threat actors can bypass standard input validation to achieve remote command execution (RCE). This flaw provides the initial foothold necessary to deploy the Nexcorium payload.

Interestingly, the attackers have left a distinct digital fingerprint. Captured traffic reveals a customized HTTP header: X-Hacked-By: Nexus Team – Exploited By Erratic. This signature points toward a previously undocumented threat group, likely the “Nexus Team,” signaling a new player in the IoT exploitation space.

Exploit traffic via CVE-2024-3721 (Source: FortiGuard Labs).
Exploit traffic via CVE-2024-3721 (Source: FortiGuard Labs).

Comprehensive analysis by FortiGuard Labs has detailed how this attack unfolds. Once the initial injection is successful, a specialized shell script named dvr is executed. This script acts as a multi-architecture downloader, pulling down specific malware payloads tailored for ARM, MIPS, and x86-64 architectures to ensure maximum coverage across different hardware types.

Technical Anatomy of the Nexcorium Malware

Nexcorium is far more than a simple script; it is a robust, scalable Mirai evolution. Upon a successful compromise, the malware “flags” its territory by displaying the message: “nexuscorp has taken control.”

The malware’s architecture is built for stealth and longevity, featuring several sophisticated components:

  • Obfuscated Configuration: The malware utilizes XOR encoding to mask its Command-and-Control (C2) infrastructure, embedded exploits, and attack instructions, making signature-based detection more difficult.
  • Modular Design: It operates through separate modules, including a watchdog (to ensure the process stays alive), a scanner (to find new victims), and an attack module (to execute DDoS commands).
  • Extensive Attack Surface: Beyond the initial DVR exploit, Nexcorium carries a built-in exploit for CVE-2017-17215, specifically targeting vulnerable Huawei HG532 routers.
  • Credential Brute-Forcing: It maintains a hard-coded list of common default credentials to aggressively target weak Telnet services across the IoT ecosystem.
XOR-Encoded configuration with the key 0x13 (Source: FortiGuard Labs).
XOR-Encoded configuration with the key 0x13 (Source: FortiGuard Labs).

Persistence and Evasion Tactics

To prevent being cleared out by a simple reboot, Nexcorium employs an aggressive multi-layered persistence strategy:

  • System File Manipulation: It modifies /etc/inittab and /etc/rc.local to ensure the malware launches automatically on boot.
  • Service Creation: It installs a systemd service named persist.service for continuous operational state.
  • Scheduled Tasks: It utilizes cron jobs to re-trigger execution periodically.

Perhaps most impressive is its self-healing capability. The malware uses the FNV-1a hashing algorithm to perform integrity checks on its own binary. If it detects that a security tool has tampered with or deleted its file, it immediately replicates itself under a new filename and deletes the original to confuse forensic investigators.

DDoS Capabilities and Orchestration

Nexcorium is a powerful weapon in the DDoS arsenal. Controlled remotely via a C2 server (identified as r3brqw3d[.]b0ats[.]top), the botnet can be commanded to launch a variety of high-impact attacks, including:

Attack method to parse commands from the C2 server (Source: FortiGuard Labs).

Attack method to parse commands from the C2 server (Source: FortiGuard Labs).
  • Protocol Floods: Massive UDP and TCP (SYN, ACK, PSH, URG) floods.
  • Application Layer Attacks: SMTP flood attacks to disrupt mail services.
  • Amplification Vectors: VSE query and UDP blast techniques to maximize traffic volume.

Mitigation Strategies: Protecting Your IoT Perimeter

The emergence of Nexcorium highlights a dangerous trend: threat actors are “chaining” modern vulnerabilities like CVE-2024-3721 with legacy exploits and brute-force techniques to ensure maximum infection rates. To defend against this evolving threat, organizations and home users should adopt the following posture:

  • Firmware Hygiene: Immediately apply security patches to all DVRs, routers, and IoT devices.
  • Disable Unnecessary Services: Turn off Telnet and any unneeded web management interfaces that are exposed to the public internet.
  • Credential Hardening: Move away from default manufacturer passwords. Use strong, unique credentials for every device.
  • Network Segmentation: Place IoT devices on a separate VLAN to prevent lateral movement within your network in the event of a compromise.
  • Traffic Monitoring: Implement anomaly detection to spot the unusual outbound traffic patterns typical of an infected botnet node.

As the IoT ecosystem continues to grow, proactive defense and continuous monitoring remain our only effective shields against highly orchestrated botnet campaigns like Nexcorium.

Related Articles

Back to top button