CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%
Threat group FreakOut’s Necro botnet has developed a new trick: infecting Visual Tools DVRs with a Monero miner.
Juniper Threat Labs researchers have issued a report detailing new activities from FreakOut, also known as Necro Python and Python.IRCBot. In late September, the team noticed that the botnets started to target Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks. The devices are typically deployed as part of a professional-quality surveillance system.
A command injection vulnerability was found in the same devices last July. Visual Tools has not yet responded to Threatpost’s request for comment.
“The script can run in both Windows and Linux environments,” the Juniper report said. “The script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key.”
FreakOut has been on the scene since at least January, exploiting recently identified and unpatched vulnerabilities to launch distributed denial-of-service (DDoS) and cryptomining attacks. Juniper reports that the threat actors have developed several iterations of the Necro bot, making steady improvements in its performance and persistence over the past several months.
“We have noted a few changes on this bot from the previous version,” the report said. “First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system.”
The team explained that more recent versions of the Necro bot scrapped its previous reliance on a hardcoded URL for a domain generation algorithm (DGA) for added persistence.
The new exploit has not yet been fully evaluated for a CVE, according to NIST, but a proof of concept is available through the Exploit Database.
First the Necro bot scans for the target port: [22, 80, 443, 8081, 8081, 7001]. If detected, it will launch a XMRig – that’s a high-performance Monero (XMR) miner – linked to this wallet:
[45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonhgH]
The team added that the bot is also still actively trying to exploit these previously identified vulnerabilities:
Mounir Hahad, head of Juniper Threat Labs, told Threatpost that security teams need security that’s equipped to handle DGA domain attempts.
“The very existence of this kind of botnet highlights the need for a connected security approach where DNS security capabilities on the network identify connection attempts to DGA domains behind public dynamic DNS services, as well as routers, switches, and firewalls that are capable of immediately isolating the compromised host from the rest of the network,” Hahad said.
Check out our free upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.
blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr
nvd.nist.gov/vuln/detail/CVE-2021-42071
packetstormsecurity.com/files/163395/Visual-Tools-DVR-VX16-4.2.28.0-Command-Injection.html
support.alertlogic.com/hc/en-us/articles/360001389791-XMRig-Monero-Miner#:~:text=XMRig%20is%20a%20high%20performance,(both%20x86%20and%20x86_64).&text=Execution%20of%20the%20miner%20will,power%20to%20mine%20Monero%20coins.
threatpost.com/bogus-cryptomining-apps-google-play/168785/
threatpost.com/category/webinars/
threatpost.com/linux-attack-freakout-malware/163137/
www.exploit-db.com/exploits/50098
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%