Post

New Mirai Botnet Variant Targets TBK DVRs via CVE-2024-3721 Exploit

Discover how a new variant of the Mirai botnet exploits CVE-2024-3721 to target TBK DVRs, highlighting the need for enhanced IoT security measures.

Posted
By Vitus White
2 min read
New Mirai Botnet Variant Targets TBK DVRs via CVE-2024-3721 Exploit

TL;DR

  • A new variant of the Mirai botnet exploits CVE-2024-3721 to target TBK DVR systems.
  • The malware uses advanced techniques like RC4 encryption and anti-VM checks.
  • Over 50,000 exposed DVRs are potential targets, with infections primarily in China, India, and Egypt.

New Mirai Botnet Variant Targets TBK DVRs via CVE-2024-3721 Exploit

Researchers from the Russian cybersecurity firm Kaspersky have identified a new variant of the Mirai botnet. This variant exploits a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 digital video recording devices. The discovery was made during a review of logs in their Linux honeypot system, which revealed a suspicious POST request linked to the exploitation of CVE-2024-3721.

Exploitation Details

The malicious request contains a single-line shell script designed to download and execute an ARM32 binary on compromised machines. Unlike typical bot infections, this attack specifically targets devices supporting ARM32 binaries, bypassing the need for architectural reconnaissance1.

Enhanced Malware Capabilities

The Mirai botnet’s source code, publicly available for nearly a decade, has been extensively reused and modified by cybercriminals. This new variant introduces several advanced features:

  • RC4 String Encryption: The malware uses a simple RC4 algorithm to decrypt strings and XOR to obfuscate the key.
  • Anti-Virtual Machine Checks: It includes checks to detect and avoid virtual machines and emulators by scanning for processes associated with VMware or QEMU.
  • Execution Path Verification: The malware verifies its execution path against a list of allowed directories to avoid detection.

Mirai Botnet

Global Impact

Infections have been primarily detected in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. While the exact number of compromised devices remains unclear, Kaspersky identified over 50,000 exposed DVRs that are potential targets2.

Recommendations

To mitigate the risk of infection, it is crucial to update vulnerable devices promptly with available security patches. Additionally, performing a factory reset on exposed devices can help enhance security3.

“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.”

Conclusion

The emergence of this new Mirai variant underscores the critical need for robust IoT security measures. Regular updates, vigilant monitoring, and proactive patching are essential to protect against such evolving threats.

Additional Resources

For further insights, check:

References

  1. “Mirai botnet variant targets DVR devices with CVE-2024-3721”. Kaspersky. Retrieved 2025-06-09. ↩︎

  2. “New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721”. Security Affairs. Retrieved 2025-06-09. ↩︎

  3. “Mirai Botnet Source Code”. Security Affairs. Retrieved 2025-06-09. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity threat-intelligence malware
This post is licensed under CC BY 4.0 by the author.