Mirai Variant Nexcorium Exploits DVR Flaw to Build DDoS Botnet

Executive Summary

A new variant of the Mirai botnet, dubbed Nexcorium, is actively exploiting a known command injection vulnerability in TBK DVR devices to build a distributed denial-of-service (DDoS) army. The campaign, documented by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, also targets end-of-life TP-Link routers, leveraging their widespread exposure and lack of security updates. The primary vulnerability, CVE-2024-3721, allows unauthenticated remote code execution, enabling the attackers to download and execute the Nexcorium malware payload, which is designed to launch TCP and UDP flood attacks.

Technical Analysis

The attack chain begins with the exploitation of CVE-2024-3721, a medium-severity (CVSS 6.3) command injection flaw in the web interface of TBK DVR models. According to researchers, the vulnerability exists due to improper neutralization of special elements used in an OS command. An unauthenticated attacker can send a crafted HTTP GET request to a specific endpoint (/cgi-bin/mft/wireless_mft) with malicious shell metacharacters in the ssid parameter, leading to arbitrary command execution.

Upon successful exploitation, the attacker's script downloads and executes the Nexcorium binary from a remote server. The malware is a classic Mirai variant, written in C and compiled for multiple architectures (e.g., ARM, MIPS, x86) to maximize its reach across the Internet of Things (IoT) landscape. Once installed, it terminates competing processes, establishes persistence, and connects to a command-and-control (C2) server to await instructions. The primary function of the bot is to conduct DDoS attacks, specifically TCP ACK flood and UDP flood attacks, overwhelming target networks with malicious traffic.

Separately, the campaign targets end-of-life TP-Link Archer C20 and C2EU routers. The exact vulnerability exploited on these devices is not specified in the available sources, but it is implied to be a known, unpatched flaw. The infection vector and subsequent payload deployment follow a similar pattern to the DVR attacks.

Tactics, Techniques & Procedures

The attackers employ a consistent set of techniques to compromise devices and maintain their botnet:

• Initial Access: Exploitation of Public-Facing Application (T1190) via CVE-2024-3721 in TBK DVRs and likely known vulnerabilities in EoL TP-Link routers.
• Execution: Command and Scripting Interpreter (T1059) – specifically Unix Shell (T1059.004) – to execute downloaded scripts and binaries.
• Persistence: Create or Modify System Process (T1543) by installing the Nexcorium binary as a persistent service.
• Defense Evasion: Process Injection (T1055) and Impair Defenses (T1562) by killing processes associated with other malware or security tools on the compromised device.
• Command and Control: Application Layer Protocol (T1071) using a custom protocol over TCP to communicate with the C2 infrastructure.
• Impact: Network Denial of Service (T1498) via TCP/UDP flood attacks.

Threat Actor Context

The specific threat actor behind the Nexcorium campaign is not identified. The activity is consistent with financially motivated or access-for-hire botnet operators who continuously scan for and exploit vulnerable, internet-exposed IoT devices. The reuse and modification of the Mirai source code, which has been publicly available since 2016, lowers the barrier to entry for such operations. The choice of targets—mass-produced DVRs and consumer routers that are often poorly maintained or past end-of-life—reflects a strategy of pursuing low-hanging fruit to build a large, disposable botnet for DDoS attacks or to sell as an attack platform.

Mitigations & Recommendations

Organizations and individuals should take the following steps to defend against this and similar IoT botnet campaigns:

1. Patch and Update: Immediately apply available firmware updates for TBK DVR devices to address CVE-2024-3721. If no patch is available from the vendor, consider isolating or replacing the device.
2. Retire EoL Hardware: Remove end-of-life devices like the specified TP-Link routers from production networks. They no longer receive security updates and represent a critical, persistent risk.
3. Network Segmentation: Isolate IoT and operational technology (OT) devices on dedicated network segments with strict inbound and outbound firewall rules, denying all unnecessary internet access.
4. Change Default Credentials: Ensure all devices have strong, unique passwords set, as default credentials are a common initial access vector for Mirai-like malware.
5. Continuous Monitoring: Implement network monitoring for anomalous outbound traffic patterns, such as large volumes of UDP or TCP packets originating from internal devices, which may indicate a compromised device participating in a DDoS attack.