IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.
|
Affected Platforms: TBK DVR-4104, DVR-4216 Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: High |
FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. By examining the infection chain, persistence mechanisms, and attack capabilities, the lab offer insights into the operational behavior of the associated threat actor and its potential impact on targeted environments.
Incidents - The threat actors delivered a downloader script by exploiting CVE-2024-3721, an OS command injection vulnerability in TBK DVR devices, by manipulating the mdb/mdc arguments.
Figure 1: Exploit traffic via CVE-2024-3721
The exploit features a custom HTTP header, “X-Hacked-By,” with the value “Nexus Team – Exploited By Erratic.” Based on this artifact, we think the activity is likely linked to a threat actor identified by analysts as “Nexus Team.” However, this actor is not widely known.
The downloader script, called dvr, fetches malware samples with filenames starting with nexuscorp and targets multiple Linux architectures, including ARM, MIPS R3000, and x86-64 (AMD64). The script sets the permissions of the retrieved malware to 777 and runs it with an argument that indicates the exploited device on the victim host.
Figure 2: Downloader shell script “dvr”
Malware Analysis - This analysis is based on the “nexuscorp.x86” sample. Upon execution, the malware shows the string “nexuscorp has taken control.”
Figure 3: Display string after execution
Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module.
The malware first performs XOR decoding to extract its embedded configuration, which includes C2 server domain and port, persistence-related shell commands, a hard-coded brute-force wordlist, DDoS attack commands retrieved from the C2 server, and embedded exploit code.
Figure 4: XOR-Encoded configuration with the key 0x13
Figure 5: XOR-Encoded configuration with the key 0xFD
Nexcorium shares an architecture similar to other Mirai variants. It consists of three core modules: watchdog, scanner, and attacker. The watchdog component uses the string NXS_WD_CHILD as a sub-process role marker to distinguish watchdog-spawned child processes.
Figure 6: Watchdog subprocess role marker
Nexcorium performs self-integrity checks by first storing executive arguments in global variables and retrieving the current execution path from /proc/self/exe. It calculates the FNV-1a hash of the executable file. If the original file is missing, unreadable, or its hash does not match, the malware creates a duplicate under a different filename and sets the file permissions to 700.
Figure 7: Self-replication
Notably, the malware includes an exploit for CVE-2017-17215, targeting Huawei HG532 devices. This is also commonly seen in other Mirai variants.
Figure 8: XOR-Encoded CVE-2017-17215 exploit
The exploit is stored in table ID 23 and used in the scanner component. Once Nexcorium connects to the victim host, the module looks up the table, retrieves the CVE-2017-17215 payload, and sends a malicious packet.
Figure 9: Send CVE-2017-17215 exploit if the socket is established
Additionally, the malware contains a hard-coded list of usernames and passwords used for brute-force attacks. Most entries include default credentials.
|
ubuntu |
guest |
support |
default |
|
12345 |
123456 |
changeme |
hikvision |
|
operator |
888888 |
Administrator |
meinsm |
|
7ujMko0admin |
admin123 |
admin1234 |
admintest |
|
comcomcom |
motorola |
password |
daemon |
|
OxhlwSG8 |
S2fGqNFs |
tlJwpbo6 |
D-Link |
|
netscreen |
7ujMko0vizxv |
GM8182 |
Root1 |
|
Zte521 |
antslq |
cat1029 |
dreambox |
|
grouter |
hg2x0 |
huigu309 |
ipcam_rt5350 |
|
jauntech |
solokey |
swsbzkgn |
taZz@23495859 |
|
tsgoingon |
vertex25ektks123 |
xc3511 |
xmhdipc |
|
Zhongxing |
telnet |
telnetadmin |
|
The malware scan involves the victim's hosts opening a Telnet connection. It then starts a brute-force attack using the previous wordlist. If Nexcorium successfully logs in, it executes commands to check if it gets a shell, including system, shell, sh, and cat /bin/busybox.
Figure 10: Execute shell command if Nexcorium successfully logs in via telnet
Once Nexcorium executes the command, it will parse and verify the victim host’s architecture using its hard-coded list.
Figure 11: Parsing the architecture information response from the victim host
The malware retrieves the actual execution path from /proc/self/exe again for persistence purposes. If it is not running from /usr/local/bin/, it copies itself to /usr/local/bin/sysd and proceeds to establish persistence through multiple mechanisms.
- Init configuration
It updates /etc/inittab to make sure the process restarts if it stops.
Figure 12: Persistence method via /etc/inittab
- Startup script
It creates or updates /etc/rc.local to ensure execution at system startup.
Figure 13: Persistence method via /etc/rc.local
- Systemd service
It then checks common system paths (e.g., /bin/systemctl, /usr/bin/systemctl, and /etc/system/system) and creates a service file at /etc/systemd/system/persist. service, enabling it to run automatically at startup.
Figure 14: Persistence method via creating daemon
- Cron job
It creates a scheduled task using crontab to ensure it runs after reboot.
Figure 15: Persistence method using crontab
After completing the persistence setup, the malware deletes its original binary from the current execution path to evade analysis.
Figure 16: Self-delete to evade anaysis
Based on the XOR-decoded configuration, Nexcorium supports multiple DDoS attack methods, including UDP flood, TCP ACK flood, TCP SYN flood, TCP generic flood, SMTP flood, TCP PSH flood, TCP URG Flag flood, UDP blast flood, and VSE query flood. It can stop ongoing DDoS attacks and terminate its own process as well.
|
Command |
Attack ID |
Description |
|
udp |
0 |
UDP Flood |
|
ack |
10 |
TCP ACK Flood |
|
syn |
3 |
TCP SYN Flood |
|
std |
4 |
TCP Generic Flood |
|
stmp |
9 |
SMTP Flood |
|
psh |
5 |
TCP PSH Flood |
|
synd |
7 |
TCP SYN Flood Variant |
|
urg |
6 |
TCP URG Flag Flood |
|
udb |
8 |
UDP Blast Flood |
|
vse |
1 |
VSE Query Flood |
|
tcpa |
12 |
TCP ACK + PSH Flood |
|
killattk |
- |
Stop Attack |
|
botkill |
- |
Kill Bot |
The malware initializes its attack modules by allocating an array and adding the offset of each attack module to it. It then establishes a connection with the C2 domain r3brqw3d[.]b0ats[.]top and parses commands retrieved from the C2 server to launch subsequent attacks.
Figure 17: Attack method to parse commands from the C2 server
Conclusion - The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach. Additionally, its diverse range of DDoS attack vectors and centralized command-and-control communication indicate its primary role in coordinated attack campaigns. The use of customized exploit artifacts, such as the “X-Hacked-By” header, also provides valuable clues linking the activity to the suspected threat actor.
The continuous monitoring of vulnerability exploitation trends, along with proactive detection of malicious traffic and behavior patterns, remains essential for reducing similar threats targeting IoT and networked systems.
IOCs
Hosts
84[.]200[.]87[.]36
176[.]65[.]148[.]186
r3brqw3d[.]b0ats[.]top
Files
Downloader
696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35
Nexcorium
37132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21
e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c
0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe
9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf
95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7
7c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734
838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696
2ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a74
29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553b
b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678
721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf5
89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting https//www.redskyalliance.org/
- Website https//www.redskyalliance.com/
- LinkedIn https//www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https//register.gotowebinar.com/register/5207428251321676122
Comments