Operators behind the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet have added a PoC exploit for Visual Tools DVR, a professional digital video recorder used in surveillance video systems. The POC exploit code for this vulnerability is publicly available since July 2021.
The botnet appeared on the threat landscape in November 2020, the attacks aimed at compromising the target systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaigns.
At the end of September 2021, researchers at Juniper Threat Labs observed new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot), it actively exploited some services, including an exploit for Visual Tools DVR VX16 4.2.28.0 from visual-tools.com. Upon exploiting the flaw, the bot will be downloaded into the system to deploy a Monero miner.
According to Juniper experts, the Necro bot supports many functions, including:
The script can run on both Windows and Linux systems, it leverages polymorphism to bypass signature-based defenses. The botnet uses Domain generation algorithms (DGA) for both its C2 infrastructure and download server.
“We have noted a few changes on this bot from the previous version. First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system.” reads the analysis published by the experts. Previously, it used a hardcoded url, ‘ublock-referer[.]dev/campaign.js’ and injects this on the scripts and now it uses the DGA for its url, i.e., ‘DGA_DOMAIN/campaign.js’. ”
The bot implements a scanner function that scans for the following ports and if available, it launches its attack.
TARGET_PORTS = [22, 80, 443, 8081, 8081, 7001] |
This version of the Necro botnet also includes exploits for the following vulnerabilities:
Unlike previous versions of the Necro bot, the latest one is able to launch DDoS attacks using TOR SOCKS proxies.
The analysis published by Juniper includes Indicators of Compromise (IoC).
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Necro botnet)
[adrotate banner=”5″]
[adrotate banner=”13″]