Nexus Team

Nexus Team is a relatively unknown threat actor identified by Fortinet FortiGuard Labs in connection with a Mirai-related botnet campaign targeting TBK DVR devices, specifically TBK DVR-4104 and DVR-4216, via CVE-2024-3721, an OS command injection vulnerability. The attribution is based on exploit traffic containing the custom HTTP header "X-Hacked-By: Nexus Team – Exploited By Erratic," and the actor is not described as widely known. The campaign distributes a Mirai-like malware variant named Nexcorium using a downloader shell script named "dvr," which retrieves multi-architecture Linux payloads including ARM, MIPS/MIPS R3000, and x86-64 samples with filenames beginning with "nexuscorp." Nexcorium contains Mirai-style watchdog, scanner, and attacker modules; uses XOR-decoded embedded configuration data; connects to a command-and-control server to receive commands; and is assessed to be used primarily for botnet expansion and DDoS activity. Observed propagation and post-compromise behavior include exploitation of CVE-2024-3721, brute-force Telnet attempts using hard-coded default credentials, and embedded exploitation support for CVE-2017-17215 against Huawei HG532 devices. Nexcorium establishes persistence through multiple mechanisms, including modifying /etc/inittab, updating or creating /etc/rc.local, creating a systemd service, and adding cron jobs. It also performs self-integrity checks, can replicate itself if tampering is detected, and deletes its original binary after setup to hinder analysis. The malware supports multiple DDoS attack methods, including UDP flood, TCP SYN flood, TCP ACK flood, SMTP flood, TCP PSH flood, TCP URG flood, UDP blast flood, VSE query flood, and TCP generic flood. Known associated malware and campaign identifiers directly mentioned in the reporting include Nexcorium, the downloader script "dvr," and payload names beginning with "nexuscorp."