Necro Python bot enhanced with new VMWare, server exploits

Necro, a Python-based self-replicating, polymorphic bot, has received new enhancements to increase its chances of infecting susceptible systems and bypassing detection.


The Necro Python bot has been under development since 2015, and the malware’s developer is working to improve the malware’s capabilities.


Cisco Talos researchers published a report on the bot, while CheckPoint Research (CPR) and Netlab 360 tracked the botnet’s development progress in January 2021 as FreakOut and Necro.


The bot’s developer has made a number of enhancements to boost the bot’s power and versatility, including exploits for over ten different web apps and the SMB protocol, which have been used in recent campaigns.


VMWare vSphere, SCO OpenServer, and the Vesta Control Panel all have vulnerabilities that have exploits.


EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits are included in a version of the botnet that was released on May 18.


The bot will attempt to exploit these vulnerabilities on both Linux and Windows operating systems first.


If successful, the malware begins roping the infected system into the botnet as a slave machine by using a JavaScript downloader, Python interpreter and scripts, and executables generated with pyinstaller.


Necro Python will then connect to a command-and-control (C2) server in order to keep in touch with its operator, receive commands, exfiltrate data, and deliver further malware payloads.


A cryptocurrency miner called XMRig has been added to the bot, and it can create Monero (XMR) by stealing the hacked machine’s computational resources.


The bot also injects code into HTML and PHP files on infected systems to download and execute a JavaScript-based miner from an attacker-controlled site, according to the researchers.


A JavaScript-based Monero miner will execute within the user’s browser’s process space if they launch the infected application.


The capacity to perform distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing are among the other characteristics.


A user-mode rootkit is also installed to ensure that the virus runs every time a user logs in, as well as to obscure its presence by burying dangerous processes and registry entries.


The bot’s polymorphic powers are another major upgrade.


It has a module that allows developers to examine code as it would seem to an interpreter before it is compiled into bytecode, and this module has been merged into an engine that allows runtime adjustments.


When the bot is started, the engine runs and reads its own file before morphing the code, a method that can make it difficult to identify a bot.


Users must ensure that all apps, not only operating systems, receive the latest security patches on a regular basis, according to the experts.


Also read: Fujifilm ransomware attack: shuts down parts of its network globally


You might also like: Norton 360 antivirus to allow you to mine Ethereum crypto