Recent developments have emerged concerning a Python-based “self-replicating, polymorphic bot” known as Necro. These upgrades appear designed to enhance its ability to infiltrate vulnerable systems and evade detection. Initially reported earlier this year, the bot now showcases significant modifications, including various command-and-control (C2) communication techniques and the addition of new exploits targeting systems such as VMWare vSphere and SCO OpenServer. Researchers from Cisco Talos have flagged these upgrades in a detailed report.
Developed as early as 2015, the Necro bot, also referred to as N3Cr0m0rPh, is aimed at both Linux and Windows environments. Increased malicious activity linked to this bot has been observed throughout the year, particularly as part of a campaign dubbed “FreakOut.” This operation engages vulnerabilities found in network-attached storage (NAS) devices operating on Linux, enabling the bot to form a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.
Beyond its DDoS capabilities, Necro emulates remote access Trojan (RAT) behaviors, allowing it to download and execute additional malicious payloads. A distinctive feature of Necro is its stealth mechanism, which involves installing a rootkit to mask its presence. Additionally, the bot inserts harmful code into HTML and PHP files, facilitating the execution of a JavaScript-based miner sourced from remote servers.
Analysis of the most recent iterations of the malware, specifically those identified on May 11 and 18, indicates a shift in target vulnerabilities. Previously, the malware exploited weaknesses within systems such as Liferay Portal and the Laminas Project. The latest versions, however, leverage command injection exploits against platforms like Vesta Control Panel and ZeroShell, in addition to a remote code execution vulnerability affecting VMWare vCenter (CVE-2021-21972), which was patched earlier this year.
The botnet encountered on May 18 also introduced vulnerabilities like EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145), both of which exploit remote code execution flaws in the Windows SMB protocol. This shift underscores the ongoing effort by the malware authors to integrate newly disclosed vulnerabilities into their attacks, enhancing the bot’s capabilities for distribution and infection.
Of particular concern is the incorporation of a polymorphic engine that enables the bot to modify its source code with each iteration while preserving the core algorithm, which serves as a rudimentary mechanism to evade detection. The enhancements to the Necro bot highlight a modular approach to its development, aligning with the latest trends in remote command execution exploits targeting various web applications.
Researchers from Talos assert that the evolution of the Necro bot demonstrates a malicious actor’s keen awareness of current vulnerabilities in web applications. This adaptability increases the likelihood of the bot spreading and infecting systems. Business owners are urged to remain vigilant and ensure that they consistently apply security updates across all applications to mitigate potential threats.
