Necro Python bot revamped with new VMWare, server exploits


The latest version is also equipped with a cryptocurrency miner.

New upgrades have been made to the Python-based “self-replicating, polymorphic bot” called Necro in order to improve its chances of infecting vulnerable systems and evading detection.

Necro Python bot has been in development since 2015 and the developer behind the malware is working hard to ramp up its capabilities.

Researchers from Cisco Talos published a report on the bot, while the botnet’s development progress was documented in January 2021 by both CheckPoint Research (CPR) and Netlab 360, tracked separately as FreakOut and Necro. 

The developer behind the Necro Python bot has made numerous changes to increase the power and versatility of the bot, including exploits for over 10 different web applications and the SMB protocol that are being weaponized in the bot’s recent campaigns. 

Exploits are included for vulnerabilities in software such as VMWare vSphere, SCO OpenServer, and the Vesta Control Panel. 

A version of the botnet that was released on May 18, also includes exploits for EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147). 

The bot will first try to exploit these vulnerabilities on both Linux and Windows-based operating systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to begin roping the compromised system into the botnet as a slave machine. 

Necro Python will then establish a connection to a command-and-control (C2) server to maintain contact with its operator, receive commands, to exfiltrate data, or to deploy additional malware payloads. 

A new addition to the bot is a cryptocurrency miner, XMRig, that can generate Monero (XMR) by stealing the compromised machine’s computing resources. 

The researchers stated that the bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.

Some of the other features include the ability to launch distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing. 

A user-mode rootkit is also installed to establish persistence by ensuring the malware launches whenever a user logs in, and to hide its presence by burying malicious processes and registry entries. 

Another notable upgrade is the bot’s polymorphic abilities. It has a module to allow developers to view code as it would be seen by an interpreter before being compiled to bytecode, and this module has been integrated into an engine that could allow runtime modifications. 

The engine runs every time the bot is started and it will read its own file before morphing the code, a technique that can make it difficult to detect a bot.

The researchers added that users must make sure to regularly apply the latest security updates to all of the applications, not just operating systems.


Please enter your comment!
Please enter your name here