Pierluigi Paganini
June 09, 2025
Researchers from Russian cybersecurity firm Kaspersky discovered a new variant of the Mirai botnet that exploits a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 digital video recording devices.
During a review of the logs in their Linux honeypot system, the researchers noticed a suspect POST request linked to the potential exploitation of CVE-2024-3721.
“The request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.” reads the analysis.
“Typically, bot infections involve shell scripts that initially survey the target machine to determine its architecture and select the corresponding binary. However, in this case, since the attack is specifically targeted at devices that only support ARM32 binaries, the reconnaissance stage is unnecessary.”
The Mirai botnet’s source code, made public nearly a decade ago, has since been widely reused and modified by cybercriminals to power large-scale botnets. The latest DVR-focused variant is also built on Mirai’s foundation but introduces new features like RC4 string encryption, anti-virtual machine checks, and anti-emulation tactics. While Mirai itself is well-known, this version brings fresh techniques worth examining.
This Mirai variant uses a simple RC4 algorithm to decrypt strings and uses XOR to obfuscate the key. Once decrypted, strings are stored in a global list for use during execution. The malware also includes anti-VM and anti-emulation checks by scanning running processes for signs of VMware or QEMU.
The malware also verifies its execution path against a list of allowed directories to avoid detection. If all checks pass, it proceeds to prepare the infected device to receive commands.
Most infections are in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. While the exact number of infected devices is unclear, Kaspersky found over 50,000 exposed DVRs, which are potential targets.
“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.” concludes the report. “Most of these bots don’t stay active after the device restarts because some device firmware doesn’t allow changes to the file system. To protect against infections like these, we recommend updating vulnerable devices as soon as security patches become available. Another thing to consider is a factory reset if your device is indeed vulnerable and exposed.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
