Nexcorium Botnet Turns Unpatched DVRs into DDoS Foot Soldiers

Security researchers at FortiGuard Labs have uncovered a sophisticated campaign deploying Nexcorium, a multi-architecture Mirai variant that turns unpatched digital video recorders (DVRs) into foot soldiers for a global botnet.

The campaign underscores a sobering reality in modern infrastructure: “IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings”.

The attackers gained their foothold by targeting CVE-2024-3721, a critical OS command injection vulnerability found in TBK DVR devices. By manipulating specific mdb and mdc arguments in HTTP POST requests, the threat actors were able to force the devices to download and execute a malicious shell script.

One unusual signature left by the attackers was a custom HTTP header: X-Hacked-By: Nexus Team – Exploited By Erratic. Based on this specific artifact, researchers have linked the activity to an emerging threat group identified as the “Nexus Team”.

Once the initial “dvr” downloader script takes root, it fetches specialized malware samples tailored to the device’s architecture—ranging from ARM and MIPS to x86-64. These samples, named with the prefix “nexuscorp,” represent the core of the Nexcorium malware.

Technical analysis reveals that “Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module”.

To broaden its reach, Nexcorium doesn’t stop at the initial infection. It carries its own arsenal for lateral movement and further expansion:

• Brute-Force Engine: The malware contains a hard-coded list of default usernames and passwords (such as admin123, hikvision, and support) used to hijack Telnet connections.
• Huawei Exploit: Notably, the malware includes an exploit for CVE-2017-17215, targeting Huawei HG532 devices.

Nexcorium is built for longevity. It employs a four-pronged approach to ensure it remains active even after system reboots:

1. Inittab Modification: Updates /etc/inittab to ensure the process respawns automatically if stopped.
2. Startup Scripts: Updates /etc/rc.local for execution at system startup.
3. Systemd Integration: Creates a “persist.service” file to leverage modern Linux service management.
4. Scheduled Tasks: Sets up a cron job via crontab to ensure the malware re-runs after a reboot.

To hinder forensic investigation, the malware retrieves its execution path and then “deletes its original binary from the current execution path to evade analysis”.

The ultimate goal of Nexcorium is the coordination of large-scale distributed denial-of-service (DDoS) attacks. The malware supports a wide range of attack vectors, including UDP floods, TCP SYN floods, SMTP floods, and VSE query floods. These modules are managed through a centralized command-and-control (C2) domain, r3brqw3d.boats.top.

“The Nexcorium malware displays typical traits of modern loT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems,” the report concludes.