New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks

Summary

Fortinet's FortiGuard Labs has identified Nexcorium, a new Mirai-based malware targeting TBK DVR systems (DVR-4104 and DVR-4216 models) to build a botnet for DDoS attacks. The malware exploits CVE-2024-3721, a command injection vulnerability in these devices, and uses hardcoded passwords for lateral movement across connected IoT devices. Attributed to the Nexus Team, Nexcorium demonstrates multi-architecture support, persistence mechanisms, and the ability to launch large-scale DDoS campaigns.

Full text

Security MalwareNew Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks Cybersecurity researchers at Fortinet have discovered Nexcorium, a new Mirai-based malware targeting TBK DVR systems to turn them into a botnet for DDoS attacks. byDeeba AhmedApril 17, 20263 minute read Cybersecurity researchers at Fortinet’s FortiGuard Labs have found a new malware that is taking over smart devices across the globe. This threat, named Nexcorium, is a new version of the infamous Mirai malware. It is built to create a botnet, which is a large network of infected IoT devices and gadgets controlled by hackers to carry out large-scale DDoS attacks. How the hackers gain access FortiGuard Lab’s security analysts have found that in this campaign, the key targets of hackers are video recording boxes used for security cameras, preferably the TBK DVR-4104 and DVR-4216 models. That’s probably because these devices are rarely updated and have weak security settings, hence being easier to compromise. According to researchers, attackers are abusing CVE-2024-3721, a command injection vulnerability in these specific devices, allowing hackers to gain access and run malicious code and gain persistent remote access. Upon successful compromise, it leads to the showing of a message on the system saying “NexusCorp has taken control.” This gives away the attackers’ identity, which, according to researchers, is the Nexus Team. They even leave a signature in the code that says “Nexus Team – Exploited By Erratic,” thus validating this attribution. Malware Capabilities In their blog post shared with Hackread.com ahead of publishing on Friday, Vincent Li of FortiGuard Labs noted that Nexcorium is a “multi-architecture” malware, which means it can work on different processors. The malware is also difficult to get rid of because it copies itself into several different folders. It then sets up automatic tasks so that if the device is turned off and on again, the malware just starts back up, and even deletes its own original files to hide from anyone trying to find it. To extend the botnet network, the malware tries to compromise other smart devices in the same building. For this purpose, it uses a built-in, long list of basic passwords like “admin123, 12345, and guest.” Additionally, by using brute force, Nexcorium keeps trying these passwords one by one to see if it can log into other routers or cameras. ubuntuguestsupportdefault12345123456changemehikvisionoperator888888Administratormeinsm7ujMko0adminadmin123admin1234admintestcomcomcommotorolapassworddaemonOxhlwSG8S2fGqNFstlJwpbo6D-Linknetscreen7ujMko0vizxvGM8182Root1Zte521antslqcat1029dreamboxgrouterhg2x0huigu309ipcam_rt5350jauntechsolokeyswsbzkgntaZz@23495859tsgoingonvertex25ektks123xc3511xmhdipcZhongxingtelnettelnetadminList of hardcoded passwords used for Brute Forcing (Credit: Fortinet) DDoS Attacks The main purpose of this entire exercise is to launch Distributed Denial of Services (DDoS) attacks in which thousands of infected devices flood a website with so much fake traffic that it crashes and stops working. Researchers noted that Nexcorium malware displays “typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.” Since Nexcorium can run on many different types of hardware, it is a high-level threat to any organisation using these recording boxes. Therefore, changing default passwords and keeping software updated is the best way to stay safe. “The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap. Machine speed analysis tells you a vulnerability exists, but a human researcher’s depth tells you how an adversary will chain it, weaponize it, and sustain access long after the initial alert fires,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity. “What organizations need is continuous adversarial testing that mirrors actual attacker behavior across the full asset inventory, including the devices that security teams have quietly placed out of scope,” he advised. “While classically true of professional attackers, the next generation of security defense programs will be defined by how aggressively they test the edges, not just the crown jewels.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDDOSFortiGuardFortinetIoTMalwareMiraiNexcoriumVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Malware Security Attacker builds malware variant with leaked Mirai source code The source code of Mirai was leaked in September 2016, on the hacking community Hackforums. bySudais Asif Scams and Fraud Security OpenSea vulnerability allowed crypto stealing with malicious NFTs Researchers investigated the issue in OpenSea after an increase in complaints about receiving and opening free airdropped NFTs to steal user funds. byWaqas Read More Crypto Security Navigating Cybersecurity Risks in Crypto-Backed Lending As crypto-backed lending gathers momentum among institutions and everyday users, cybersecurity shadows every new transaction. Billions in digital… byOwais Sultan Security Malware Malware Infected PokémonGo Apps Found on GooglePlay Store Researchers have discovered more fake Pokémon Go apps on Google Play Store putting security and privacy of Android users… byUzair Amir

Indicators of Compromise

• malware — Nexcorium
• cve — CVE-2024-3721
• cve — CVE-2017-17215

Entities