Necro Python bot now enhanced with new VMWare, server exploits

Pierluigi Paganini June 04, 2021

Operators behind the Necro Python botnet have added new features to their bot, including VMWare and server exploits.

Experts from Cisco Talos have recently observed a new Necro Python bot campaign and noticed that its developers have improved its capabilities.

The Necro Python bot, aka FreakOut, has been in development since 2015 and early this year researchers from Check Point and Netlab 360 have provided details about its activity.

Researchers noticed that malware authors have added multiple exploits for over 10 different web applications and the SMB protocol. The malicious code includes exploits for vulnerabilities in VMWare vSphere, SCO OpenServer, and the Vesta Control Panel. 

The attack chain starts with the exploitation of one of the flaws in the targeted applications or the operating systems. In some cases, experts noticed that attackers used a Java-based downloader for the initial infection stage. The malware could infect bot Linux-based and Windows operating systems, The malware leverages a combination of a standalone Python interpreter and a malicious script, an also ELF executables created with pyinstaller.

Talos experts noticed that a version released on May 18 included Python versions of EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits with a Windows download command line as the payload.

In the newest samples discovered on May 22, the bot improved its ability to supply credentials for SMB but the new features are not included the main exploit function.

“The usernames and passwords are now in a separate two arrays and extended to include many other usernames and passwords. The exploitation function of this sample does not contain EternalBlue and EternalRomance but attempts to connect over SMB (port 445) and create a service remotely to download and run the main bot file.” reads the analysis published by Talos.

Once compromised a system, the Necro Python bot will connect to a command-and-control (C2) server, it supports multiple commands, including the ability to exfiltrate data or to drop additional payloads. 

The main payloads allow the malware to launch DDoS attacks, sniff and exfiltre network traffic using a SOCKS proxy and install XMRig Monero cryptocurrency mining software.

The bot used a user-mode rootkit to hide the malicious process and malicious registry entries created.

“A significant part of the code is dedicated to downloading and running a Monero miner XMRig program.” continues the post. “The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.”

Necro Python

The latest versions also implement polymorphic abilities, like other IoT botnets, the malware targets small and home office (SOHO) routers.

“Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,” concludes the report. “This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Necro Python bot)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment