I. Targeted Entities
- Visual Tools DVRs
II. Introduction
A new exploit from cybercrime group FreakOut, also known as Necro Python and Python.IRCBot, has been found infecting Visual Tools DVRs with a Monero miner.
III. Background Information
Juniper Threat Labs researchers have written a report detailing the new activities from FreakOut. The team noticed in late September that the botnets started targeting Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks.[1] Visual Tools DVRs are generally used as part of a professional-grade surveillance system. A command injection vulnerability was found in the same devices last July.[1] FreakOut has been around since at least January of 2021, exploiting recently identified and unpatched vulnerabilities to launch DDoS and cryptomining attacks.[1] The researchers at Juniper report that the group has developed several iterations of the Necro bot, making steady improvements to its performance and persistence over the months.[1]
Juniper researchers say that the script can run in both Windows and Linux environments, and that the script has its own polymorphic engine to morph itself every execution, giving it the ability to bypass signature-based defenses. This happens, the researchers say, by reading every string in its code and encrypting it using a hardcoded key.[2]
The team at Juniper have also said that there have been a few changes to this bot from the previous version, notably that the SMB scanner, which was observed in a May 2021 attack, had been removed; the bot changed the URL that it injects to script files on the compromised system; and that more recent versions of the Necro bot scrapped previous reliance on a hardcoded URL in favor of a domain generation algorithm (DGA) for added persistence and harder detection.[2]
The Necro bot works in the following way: first, the bot scans for the target port (22, 80, 443, 8081, 7001). If the port is detected, it will launch an XMRig (a high performance Monero (XMR) miner) linked to a specific wallet. Juniper researchers say that the bot is also actively trying to exploit the following previously identified vulnerabilities:
- CVE-2020-15568 – TerraMaster TOS before 4.1.29
- CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
- CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
- CVE-2020-28188 – TerraMaster TOS <= 4.2.06
- CVE-2019-12725 – Zeroshell 3.9.0[2]
Mounir Hahad, head of Juniper Threat Labs, says that security teams need security that is equipped to handle DGA domain attempts. Hahad also said, “The very existence of this kind of botnet highlights the need for a connected security approach where DNS security capabilities on the network identify connection attempts to DGA domains behind public dynamic DNS services, as well as routers, switches, and firewalls that are capable of immediately isolating the compromised host from the rest of the network.”[1]
IV. MITRE ATT&CK
- T1190 – Exploit Public-Facing Application
Threat actor Necro Python have been targeting Visual Tools DVR VX16 4.2.28.0
- T1064 – Scripting
A combination of standalone Python interpreter and a malicious script are used by the malware upon successful infection
- T1059.001 – PowerShell
The malware uses PowerShell functions in order to download and run Python that includes all required modules
- T1055 – Process Injection
The bot involved will also download a JavaScript-based miner that if clicked will run within the browser’s process space
- T1571 – Non-Standard Port
Several non-standard ports were observed to be in use. These include but aren’t limited to ports: 5870, 42066, 52566, and 6697
- T1219 – Remote Access Software
Necro Python bots are remotely controlled via C2 channels
- T1056 – Input Capture
The JavaScript-based bot can be configured from the C2 channel to steal clipboard data and even log keystrokes
- T1027 – Obfuscated Files or Information
Setup.py, which is downloaded via PowerShell commands, is an obfuscated bot
- T1547.001 – Registry Run Keys/Startup FolderUpon successful infection, several registry values are updated that point to the pyinstaller or the standalone setup.py
V. Recommendations
- Patch Systems and Keep Them Updated
Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities - Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures - Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats. - Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a - Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.
https://usf.box.com/s/iaptndxys8jy0g7hiok9ee85ijzwdnue
VII. References
(1) Bracken, Becky. “FreakOut Botnet Turns DVRs Into Monero Cryptominers.” Threatpost English Global threatpostcom, October 13, 2021. https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/.
(2) Kimayong, Paul. “Necro Python Botnet Goes After Vulnerable VisualTools DVR.” Official Juniper Networks Blogs. Juniper Networks, October 11, 2021. https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev, and Ipsa Bhatt.