Mirai Botnet Hijacks DVRs Using New CVE Exploit

A newly discovered variant of the Mirai botnet is exploiting a critical vulnerability, CVE-2024-3721, in TBK DVR-4104 and DVR-4216 digital video recorders, according to researchers from cybersecurity firm Kaspersky. The malware uses a direct infection method, bypassing architecture detection by deploying an ARM32 binary—tailored to the devices’ specifications—via a malicious POST request.

Unlike earlier Mirai iterations, this version includes advanced evasion techniques such as RC4-based string encryption, anti-virtual machine checks, and anti-emulation detection. It verifies execution paths against a whitelist of directories before initiating command reception.

Kaspersky identified over 50,000 vulnerable DVRs exposed online, primarily in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. While the total number of infections remains unclear, the firm warns that unpatched Linux-based IoT systems remain prime targets.

Researchers recommend immediate patching and, where possible, factory resets to mitigate risk, particularly for devices that don’t retain changes after reboot.