A newly discovered Mirai malware variant named Nexcorium is actively targeting unpatched Internet of Things (IoT) devices.
According to recent threat research from FortiGuard Labs, attackers are exploiting a severe vulnerability in TBK DVR systems to build a massive botnet capable of launching destructive distributed denial-of-service (DDoS) attacks.
The campaign primarily focuses on CVE-2024-3721, a high-severity operating system command injection flaw affecting TBK DVR-4104 and DVR-4216 models. Hackers use this weakness to bypass security and deliver a malicious downloader script.
During their analysis, FortiGuard Labs researchers found a custom HTTP header in the attack traffic reading “X-Hacked-By: Nexus Team – Exploited By Erratic.”
This unique fingerprint strongly links the malicious activity to an emerging threat actor identified as the “Nexus Team.”
Malware Behavior and Rapid Spread
Once the initial script is deployed, it fetches the Nexcorium payload. The malware is highly adaptable, designed to infect multiple Linux device architectures, including ARM, MIPS, and x86-64.
Upon successful execution, the malware boldly displays a hidden system message: “nexuscorp has taken control.”
Nexcorium operates much like traditional Mirai botnets but brings aggressive spreading techniques. After infecting a host device, it immediately begins scanning the internet for other vulnerable targets.
It comes packed with a secondary exploit (CVE-2017-17215) specifically aimed at hijacking Huawei HG532 routers. Furthermore, the malware carries a hard-coded dictionary of weak, default passwords, like “admin,” “12345,” and “guest”, to brute-force its way into other exposed devices via Telnet connections.
To ensure it survives device reboots and security checks, Nexcorium uses a multi-layered approach to persistence. After copying itself into deep system folders, it sets up several backup mechanisms:
- Init Configuration: It alters the
/etc/inittabfile to force the malicious process to restart if it ever stops. - Startup Scripts: It modifies local startup files to guarantee execution the moment the system boots.
- Systemd Services: It creates a hidden background service that runs automatically without user interaction.
- Cron Jobs: It schedules routine system tasks to relaunch the malware periodically.
After securing its permanent foothold, Nexcorium deletes its original installation files to hide its tracks from security analysts and antivirus scanners.
The ultimate goal of the Nexcorium botnet is to launch devastating DDoS attacks. The malware communicates with a remote command-and-control server to receive its targeting orders.
FortiGuard Labs noted that Nexcorium is highly versatile, supporting over ten different attack methods, including UDP floods, TCP SYN floods, and SMTP floods. This flexibility allows the Nexus Team to overwhelm various types of networks, applications, and web servers.
Mitigation Strategies
As IoT botnets continue to grow in scale, organizations and administrators must take proactive steps to defend their networks:
- Apply the latest vendor firmware patches to all DVRs, routers, and IoT hardware.
- Replace all default device credentials with strong, unique passwords to block brute-force attempts.
- Disable external Telnet access and restrict internet exposure for critical networked devices.
- Monitor network traffic for unusual outbound connections, particularly automated scanning behavior.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
