- Jul 27, 2015
a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
WHAT'S NEW?Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code.
HOW DID IT WORK?The infection starts with successful exploitation of a vulnerability in one of the targeted applications or the operating systems. The bot targets Linux-based and Windows operating systems. A Java-based downloader is also used for the initial infection stage. The malware uses a combination of a standalone Python interpreter and a malicious script, as well as ELF executables created with pyinstaller. The bot can connect to a C2 server using IRC and accepts commands related to exploitation, launching distributed denial-of-service attacks, configuration changes and RAT functionality to download and execute additional code or sniff network traffic to exfiltrate the captured data.
SO WHAT?Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems. Here, we are dealing with a self-replicating, polymorphic bot that attempts to exploit server-side software for spreading. The bot is similar to others, like Mirai, in that it targets small and home office (SOHO) routers. However, this bot uses Python to support multiple platforms, rather than downloading a binary specifically compiled for the targeted system.