In the last week of September 2021, Juniper Threat Labs detected a new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot) that is actively exploiting some services, including a new exploit added to its arsenal. This new exploit targets Visual Tools DVR VX16 126.96.36.199 from visual-tools.com (no CVE number is assigned to this vulnerability). Successful exploitation will download the bot into the system and install a Monero miner.
Necro was first discovered in January. The threat actor made a move in March and in May, adding new exploits to its arsenal.
Necro bot is an interesting python bot that has many functions which include the following:
- Network Sniffer
- Spreading by exploits
- Spreading by brute-force
- Using Domain Generation Algorithm
- Installing a Windows rootkit
- Receiving and executing bot commands
- Participating in DDoS attacks
- Infecting HTML, JS, PHP files
- Installing Monero Miner
The script can run in both Windows and Linux environments. The script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key.
Domain Generation Algorithm
Necro uses DGA for both its CnC and download server. It selects from a list of dynamic DNS services as its domain, e.g., ddns.net and prefixes that with 10-19 random characters. E.g., ‘3ood3dfcqchro.ddns.net’
The domains are pseudo-randomly generated using a hardcoded seed, 0xFAFFDED00001, and a counter is added until 0xFD (253 in decimal) before the counter is reset to 0. The seed controls the domain to be generated. In effect, it can generate up to 253 unique domains.
This seed is different from the previous campaigns. For instance, the sample used in the March attack used a different seed, 0x7774DEAD.
From this list of generated domains, it connects to them one by one to see which one is online. During our analysis, the following DGA domain was active:
Necro Python’s Domain Generation Algorithm
Necro connects to the CnC server, gtmpbeaxruxy.myftp.org, via IRC to receive commands which include the following:
|addport||add port to the scanner|
|delport||remove port from scanner|
|ports||send to server the ports currently scanned|
|injectcount||send to server the number of files injected|
|reinject||launch function to inject to html, php, js, htm files|
|scanner||stop or launch scanner|
|sniffer||stop or launch sniffer|
|scannetrange||scan a range of IPs|
|clearscan||empty scanner DB|
|revshell||launch a reverse shell|
|shell||launch a process using subprocess.Popen()|
|execute||executes a file|
|killbyname||kill process by name|
|killbypid||kill process by pid|
|disable||disable exploitation module|
|enable||enable exploitation module|
|getip||get current IP|
|ram||get information about the memory|
|update||update this bot|
|visit||visit a URL|
|dlexe||download and execute a file|
|info||get system information|
|repack||morph this bot|
|logout||logout from the server|
|reconnect||reconnect to the server|
|slowloris||slowloris DDoS attack|
|torflood||launch DDoS using TOR SOCKS proxies|
|loadamp||initialize amplification attack|
|reflect||launch DNS reflection attack|
We also noted a change in its TOR Socks proxies. When the bot receives the “torflood” command, it uses a set of TOR proxies for its DDOS attacks.
New Tor Proxies
|[‘188.8.131.52:9051’, ‘184.108.40.206:1080’, ‘220.127.116.11:9999’, ‘18.104.22.168:9999’, ‘22.214.171.124:9119’, ‘126.96.36.199:9500’, ‘188.8.131.52:9051’, ‘184.108.40.206:9051’, ‘220.127.116.11:666’, ‘18.104.22.168:8425’, ‘22.214.171.124:9050’, ‘126.96.36.199:9051’, ‘188.8.131.52:9050’, ‘184.108.40.206:9010’, ‘220.127.116.11:9000’, ‘127.0.0.1:9050’]|
Visual Tools DVR Exploit
As noted above, this bot added a new exploit to its arsenal. The exploit targets Visual Tools DVR VX16 18.104.22.168. A poc for this exploit was made available to the public in July, 2021.
Aside from the bot, the payload will install a XMRig Monero miner with the following wallet.
The scanner function of the bot scans for the following ports and if available, it launches its attack.
|TARGET_PORTS = [22, 80, 443, 8081, 8081, 7001]|
Juniper Threat Labs is still seeing this Necromorph exploiting the following vulnerabilities:
- CVE-2020-15568 – TerraMaster TOS before 4.1.29
- CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
- CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
- CVE-2020-28188 – TerraMaster TOS <= 4.2.06
- CVE-2019-12725 – Zeroshell 3.9.0
Exploits used in this attack are detected by Juniper’s NGFW SRX series.
Juniper Advanced Threat Prevention Cloud detects this bot as follows:
Juniper Advanced Threat Prevention DNS Security also detects the DGA domain.
Indicators of Compromise
|File Hash||File Name|
IP Addresses & ports: