Cybersecurity researchers at Fortinet’s FortiGuard Labs have found a new malware that is taking over smart devices across the globe. This threat, named Nexcorium, is a new version of the infamous Mirai malware. It is built to create a botnet, which is a large network of infected IoT devices and gadgets controlled by hackers to carry out large-scale DDoS attacks.
How the hackers gain access
FortiGuard Lab’s security analysts have found that in this campaign, the key targets of hackers are video recording boxes used for security cameras, preferably the TBK DVR-4104 and DVR-4216 models. That’s probably because these devices are rarely updated and have weak security settings, hence being easier to compromise.
According to researchers, attackers are abusing CVE-2024-3721, a command injection vulnerability in these specific devices, allowing hackers to gain access and run malicious code and gain persistent remote access.
Upon successful compromise, it leads to the showing of a message on the system saying “NexusCorp has taken control.” This gives away the attackers’ identity, which, according to researchers, is the Nexus Team. They even leave a signature in the code that says “Nexus Team – Exploited By Erratic,” thus validating this attribution.
Malware Capabilities
In their blog post shared with Hackread.com ahead of publishing on Friday, Vincent Li of FortiGuard Labs noted that Nexcorium is a “multi-architecture” malware, which means it can work on different processors.
The malware is also difficult to get rid of because it copies itself into several different folders. It then sets up automatic tasks so that if the device is turned off and on again, the malware just starts back up, and even deletes its own original files to hide from anyone trying to find it.
To extend the botnet network, the malware tries to compromise other smart devices in the same building. For this purpose, it uses a built-in, long list of basic passwords like “admin123, 12345, and guest.” Additionally, by using brute force, Nexcorium keeps trying these passwords one by one to see if it can log into other routers or cameras.
| ubuntu | guest | support | default |
| 12345 | 123456 | changeme | hikvision |
| operator | 888888 | Administrator | meinsm |
| 7ujMko0admin | admin123 | admin1234 | admintest |
| comcomcom | motorola | password | daemon |
| OxhlwSG8 | S2fGqNFs | tlJwpbo6 | D-Link |
| netscreen | 7ujMko0vizxv | GM8182 | Root1 |
| Zte521 | antslq | cat1029 | dreambox |
| grouter | hg2x0 | huigu309 | ipcam_rt5350 |
| jauntech | solokey | swsbzkgn | taZz@23495859 |
| tsgoingon | vertex25ektks123 | xc3511 | xmhdipc |
| Zhongxing | telnet | telnetadmin |
DDoS Attacks
The main purpose of this entire exercise is to launch Distributed Denial of Services (DDoS) attacks in which thousands of infected devices flood a website with so much fake traffic that it crashes and stops working.
Researchers noted that Nexcorium malware displays “typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.”
Since Nexcorium can run on many different types of hardware, it is a high-level threat to any organisation using these recording boxes. Therefore, changing default passwords and keeping software updated is the best way to stay safe.
“The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap. Machine speed analysis tells you a vulnerability exists, but a human researcher’s depth tells you how an adversary will chain it, weaponize it, and sustain access long after the initial alert fires,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity.
“What organizations need is continuous adversarial testing that mirrors actual attacker behavior across the full asset inventory, including the devices that security teams have quietly placed out of scope,” he advised. “While classically true of professional attackers, the next generation of security defense programs will be defined by how aggressively they test the edges, not just the crown jewels.”
