The new Necro Python exploit targets Visual Tool DVRs used in surveillance systems.
Threat group FreakOut’s Necro botnet has developed a new trick: infecting Visual Tools DVRs with a Monero miner.
Juniper Threat Labs researchers have issued a report detailing new activities from FreakOut, also known as Necro Python and Python.IRCBot. In late September, the team noticed that the botnets started to target Visual Tools DVR VX16 188.8.131.52 models with cryptomining attacks. The devices are typically deployed as part of a professional-quality surveillance system.
A command injection vulnerability was found in the same devices last July. Visual Tools has not yet responded to Threatpost’s request for comment.
“The script can run in both Windows and Linux environments,” the Juniper report said. “The script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key.”
FreakOut has been on the scene since at least January, exploiting recently identified and unpatched vulnerabilities to launch distributed denial-of-service (DDoS) and cryptomining attacks. Juniper reports that the threat actors have developed several iterations of