A recent Necro Python bot campaign has shown that the developer behind the malware is working hard to increase its capabilities and this is demonstrated by a new threat targeting Windows and Linux systems, the Necro Python bot changes its code to evade detection by traditional security, says Cisco Talos.
Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for propagation, especially vulnerabilities in VMWare vSphere. , SCO OpenServer, Vesta. Dashboard and SMB-based exploits that weren’t present in previous iterations of the code.
A version of the botnet, released on May 18, also includes exploits for EternalBlue CVE-2017-0144 and EternalRomance CVE-2017-0147. The bot will first try to exploit these vulnerabilities in Linux and Windows based operating systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to start plugging the compromised system into the botnet as a slave machine.
Necro Python will then establish a connection to a command and control server (C2) to maintain contact with its operator, receive commands, exfiltrate data, or deploy additional malware payloads. A new addition to the bot is a cryptocurrency miner, XMRig, which is used to generate Monero (XMR) by stealing computing resources from the compromised machine.
One of the most alarming capabilities discovered in the latest version of Necro is code transformation. Talos discovered that the script code can transform into a different shape after each iteration. This ability turns Necro into a polymorphic worm that can spread by abusing a growing number of web-based interfaces and SMB exploits.
Beyond transformation capabilities, Necro installs a user-mode rootkit to hide its malicious files, processes, and registry entries. The overall goal is to make the bot more difficult to detect. These tactics could help Necro evade traditional and basic security protection, but Talos said it would be detected by more modern detection tools, including Extended Response and Detection products.
Users and companies must adopt stronger security measures since these threats continue to evolve and that is why we must do the same, so as not to be victims of these malicious applications.
Also see:
FluBot is a new threat that comes through SMS
Botnets using Tor, A threat exploited by criminals
Gafgyt is a botnet that uses Mirai DDoS modules
