Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
Essential information
- Published
- 06/06/2025 12:45
- Modified
- 08/06/2025 17:09
- Tags
- 2025-06-06 CVE-2024-3721 anti-emulation anti-vm botnet ddos dvr iot mirai rc4 encryption
- Related entities
- 17 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware, 6 others
Description
A new wave of Mirai botnet attacks is exploiting CVE-2024-3721 to target TBK DVR devices. The campaign uses a POST request to execute system commands without authorization, downloading and running an ARM32 binary. This Mirai variant includes features like RC4 string encryption, anti-VM checks, and anti-emulation techniques. The malware verifies if it's running in a virtual environment and checks for allowed directories. Infected devices are primarily located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Over 50,000 exposed DVR devices are potentially vulnerable. The botnet's main goal is to conduct DDoS attacks. Updating vulnerable devices and performing factory resets are recommended as protective measures.