Nexcorium Unleashed: Inside the Stealthy Takeover of TBK DVRs by Nexus Team Hackers

It started with a cryptic HTTP header - “X-Hacked-By: Nexus Team – Exploited By Erratic” - surfacing in the digital exhaust of compromised surveillance systems. By the time researchers cracked the pattern, thousands of Internet-connected cameras and recorders had already been drafted into a shadowy new botnet. The culprit: Nexcorium, a menacing malware strain engineered to prey on the most neglected corners of the Internet of Things.

How Nexcorium Hijacks TBK DVRs

The attack campaign, uncovered by Fortinet’s FortiGuard Labs, targets a critical vulnerability (CVE-2024-3721) found in popular TBK digital video recorders - specifically models like DVR-4104 and DVR-4216. This bug lets attackers inject system commands directly into the device’s operating system, bypassing normal security controls.

Once inside, the hackers deploy a malicious downloader script that fetches Nexcorium malware tailored for various device architectures (ARM, x86-64, and more). The infection is marked by a unique signature in the network traffic, allowing researchers to trace it back to the so-called “Nexus Team” - an emerging cybercriminal group making its mark with this campaign.

Building a Botnet Army

After gaining control, Nexcorium doesn’t stop at a single victim. It spreads like wildfire by brute-forcing Telnet logins with a list of default or weak passwords - capitalizing on the notorious habit of leaving factory credentials unchanged. The malware also exploits an older vulnerability (CVE-2017-17215) in Huawei routers, broadening its reach across the IoT landscape. Once a device is infected, it’s enrolled into a botnet, ready to be used in massive distributed denial-of-service (DDoS) attacks that can cripple websites and online services.

Persistence and Evasion

Nexcorium is designed to be hard to kill. It copies itself to hidden directories and establishes multiple footholds, modifying system startup files, creating custom background services, and scheduling recurring tasks. If security teams try to remove it, the malware’s redundant persistence tricks ensure it springs back to life after every reboot. To cover its tracks, Nexcorium deletes its original executable, making forensic analysis a challenge.

Defending Against the Threat

Experts warn that the best defense is proactive hygiene: patch all IoT devices immediately, especially TBK DVRs and older routers. Change all default passwords - no exceptions. Network administrators should also block outgoing traffic to known malicious domains and monitor for signs of unusual scanning or brute-force activity. In an era where even security cameras can become weapons, neglect is not an option.

Conclusion

The Nexcorium campaign is a stark reminder that yesterday’s forgotten devices can become tomorrow’s cyberweapons. As IoT continues to proliferate, vigilance, timely updates, and a zero-tolerance policy for default passwords are the only things standing between the digital world and the next botnet-fueled blackout.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
• DDoS Attack: A DDoS attack is when many computers flood a service with fake requests, overwhelming it and making it slow or unavailable to real users.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.
• Telnet Brute: Telnet Brute is a cyberattack using automated tools to guess Telnet logins by trying many username and password combinations to gain access.