skip to Main Content

Cybercrime, the Necro Python malware is evolving

Cisco Talos: the Necro Python malware is evolving. The bot has new features, ranging from different C2 communications to exploits for spreading

Necro Python malware is evolving and now it adds new features. It has been discovered by Cisco Talos cybersecurity experts. They range from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code. The infection starts with successful exploitation of a vulnerability in one of the targeted applications or the operating systems. The bot targets Linux-based and Windows operating systems. A Java-based downloader is also used for the initial infection stage. The malware uses a combination of a standalone Python interpreter and a malicious script, as well as ELF executables created with pyinstaller.

How the malicious code works according the cybersecurity experts

According the cybersecurity experts, now Necro Python can connect to a C2 server using IRC and accepts commands related to exploitation, launching DDoS attacks, configuration changes and RAT functionality to download and execute additional code or sniff network traffic to exfiltrate the captured data. The bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and malicious registry entries created to ensure that the bot runs every time a user logs into the infected system. Furthermore, a significant part of the code is dedicated to downloading and running a Monero miner XMRig program. The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems.

Back To Top