Select Page

New upgrades have been made to a Python-based “self-replicating, polymorphic bot” called Necro in what’s seen as an attempt to improve its chances of infecting vulnerable systems and evading detection.

“Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,” researchers from Cisco Talos said in a deep-dive published today.

Said to be in development as far back as 2015, Necro (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed “FreakOut” that was found exploiting vulnerabilities in network-attached storage (NAS) devices running on Linux machines to co-opt the machines into a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.

In addition to its DDoS and RAT-like functionalities to download and launch additional payloads, Necro is designed with stealth in mind by installing a rootkit that hides its presence on the system. What’s more, the bot also injects malicious code to retrieve and execute a JavaScript-based miner from a remote server into HTML and PHP files on infected systems.

images from Hacker News