Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Necro botnet now targets Visual Tools DVRs

The FreakOut (aka Necro, N3Cr0m0rPh) Python botnet evolves, it now includes a recently published PoC exploit for Visual Tools DVR. Operators behind the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet have added a PoC exploit for Visual Tools DVR, a professional digital video recorder used in surveillance video systems. The POC exploit code for this vulnerability is publicly […]

Necro botnet DVR_Attack

The FreakOut (aka Necro, N3Cr0m0rPh) Python botnet evolves, it now includes a recently published PoC exploit for Visual Tools DVR.

Operators behind the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet have added a PoC exploit for Visual Tools DVR, a professional digital video recorder used in surveillance video systems. The POC exploit code for this vulnerability is publicly available since July 2021.

The botnet appeared on the threat landscape in November 2020, the attacks aimed at compromising the target systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaigns.

At the end of September 2021, researchers at Juniper Threat Labs observed new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot), it actively exploited some services, including an exploit for Visual Tools DVR VX16 4.2.28.0 from visual-tools.com. Upon exploiting the flaw, the bot will be downloaded into the system to deploy a Monero miner.

Necro botnet DVR_Attack

According to Juniper experts, the Necro bot supports many functions, including:

  • Network Sniffer
  • Spreading by exploits
  • Spreading by brute-force
  • Using Domain Generation Algorithm
  • Installing a Windows rootkit
  • Receiving and executing bot commands
  • Participating in DDoS attacks
  • Infecting HTML, JS, PHP files
  • Installing Monero Miner

The script can run on both Windows and Linux systems, it leverages polymorphism to bypass signature-based defenses. The botnet uses Domain generation algorithms (DGA) for both its C2 infrastructure and download server.

“We have noted a few changes on this bot from the previous version. First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system.” reads the analysis published by the experts. Previously, it used a hardcoded url, ‘ublock-referer[.]dev/campaign.js’ and injects this on the scripts and now it uses the DGA for its url, i.e., ‘DGA_DOMAIN/campaign.js’. ”

The bot implements a scanner function that scans for the following ports and if available, it launches its attack.

TARGET_PORTS = [22, 80, 443, 8081, 8081, 7001]

This version of the Necro botnet also includes exploits for the following vulnerabilities:

  1. CVE-2020-15568 – TerraMaster TOS before 4.1.29
  2. CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
  3. CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
  4. CVE-2020-28188 – TerraMaster TOS <= 4.2.06
  5. CVE-2019-12725 – Zeroshell 3.9.0

Unlike previous versions of the Necro bot, the latest one is able to launch DDoS attacks using TOR SOCKS proxies.

The analysis published by Juniper includes Indicators of Compromise (IoC).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Necro botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]