Vulnerable Internet of Things (IoT) devices, including TBK digital video recorders and end-of-life TP-Link routers, are being actively targeted to deploy variants of the Mirai botnet.
According to Fortinet FortiGuard Labs, attackers are exploiting a known vulnerability (CVE-2024-3721) affecting TBK DVR-4104 and DVR-4216 devices. The flaw enables command injection, allowing threat actors to install a Mirai-based malware strain dubbed Nexcorium.
The attack chain begins with the exploitation of the TBK flaw to download a script that identifies the device’s Linux architecture and executes the appropriate malware payload. Once infected, devices display the message “nexuscorp has taken control.”
Nexcorium comes with functionality similar to earlier Mirai variants, including obfuscated configuration data, watchdog functionality, and DDoS capabilities. It also incorporates an exploit for CVE-2017-17215, allowing it to spread further by targeting Huawei HG532 routers.
In addition, the malware uses hard-coded credentials to conduct brute-force attacks over Telnet. If successful, it establishes persistence via system tools such as crontab and systemd, connects to command-and-control servers, and awaits instructions to launch attacks using UDP, TCP, or SMTP protocols. To evade detection, Nexcorium removes its initial binary after installation.
Furthermore, PAN’s Unit42 said it observed automated scans and probes attempting to exploit a flaw (CVE-2023-33538) affecting end-of-life TP-Link Wi-Fi router models.