Necro botnet now targets Visual Tools DVRs

Pierluigi Paganini October 12, 2021

The FreakOut (aka Necro, N3Cr0m0rPh) Python botnet evolves, it now includes a recently published PoC exploit for Visual Tools DVR.

Operators behind the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet have added a PoC exploit for Visual Tools DVR, a professional digital video recorder used in surveillance video systems. The POC exploit code for this vulnerability is publicly available since July 2021.

The botnet appeared on the threat landscape in November 2020, the attacks aimed at compromising the target systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaigns.

At the end of September 2021, researchers at Juniper Threat Labs observed new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot), it actively exploited some services, including an exploit for Visual Tools DVR VX16 from Upon exploiting the flaw, the bot will be downloaded into the system to deploy a Monero miner.

Necro botnet DVR_Attack

According to Juniper experts, the Necro bot supports many functions, including:

  • Network Sniffer
  • Spreading by exploits
  • Spreading by brute-force
  • Using Domain Generation Algorithm
  • Installing a Windows rootkit
  • Receiving and executing bot commands
  • Participating in DDoS attacks
  • Infecting HTML, JS, PHP files
  • Installing Monero Miner

The script can run on both Windows and Linux systems, it leverages polymorphism to bypass signature-based defenses. The botnet uses Domain generation algorithms (DGA) for both its C2 infrastructure and download server.

“We have noted a few changes on this bot from the previous version. First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system.” reads the analysis published by the experts. Previously, it used a hardcoded url, ‘ublock-referer[.]dev/campaign.js’ and injects this on the scripts and now it uses the DGA for its url, i.e., ‘DGA_DOMAIN/campaign.js’. ”

The bot implements a scanner function that scans for the following ports and if available, it launches its attack.

TARGET_PORTS = [22, 80, 443, 8081, 8081, 7001]

This version of the Necro botnet also includes exploits for the following vulnerabilities:

  1. CVE-2020-15568 – TerraMaster TOS before 4.1.29
  2. CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
  3. CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
  4. CVE-2020-28188 – TerraMaster TOS <= 4.2.06
  5. CVE-2019-12725 – Zeroshell 3.9.0

Unlike previous versions of the Necro bot, the latest one is able to launch DDoS attacks using TOR SOCKS proxies.

The analysis published by Juniper includes Indicators of Compromise (IoC).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Necro botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment