(fortinet.com) Nexcorium: Mirai-Based Botnet Exploiting TBK DVR Vulnerability CVE-2024-3721 for DDoS Campaigns

orlysec@swecyb.com

(fortinet.com) Nexcorium: Mirai-Based Botnet Exploiting TBK DVR Vulnerability CVE-2024-3721 for DDoS Campaigns

Active Mirai-based botnet 'Nexcorium' exploits CVE-2024-3721 in TBK DVR devices for DDoS campaigns. Attributed to 'Nexus Team' via custom HTTP header in exploit traffic.

In brief - FortiGuard Labs uncovered a Mirai variant targeting unpatched TBK DVR devices via OS command injection (CVE-2024-3721). Nexcorium establishes persistence, supports multi-architecture payloads, and enables DDoS attacks via C2 r3brqw3d[.]b0ats[.]top. Threat actor 'Nexus Team' also embeds CVE-2017-17215 exploit for Huawei HG532 routers.

Technically - Nexcorium is deployed via CVE-2024-3721 (TBK DVR mdb/mdc argument manipulation). A downloader script fetches architecture-specific binaries (ARM/MIPS/x86-64) with XOR-encoded configs (keys 0x13/0xFD) containing C2, brute-force creds, and DDoS commands. Persistence mechanisms include /etc/inittab, rc.local, systemd service, and crontab. The malware conducts Telnet brute-forcing and supports 10 DDoS methods (UDP/TCP/SMTP floods, VSE query flood). Self-integrity checks via FNV-1a hashing ensure resilience.

Source: https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign

#Cybersecurity #ThreatIntel