{ "id": "6fbffb41-f089-4c46-ad28-baa2d83ad986", "created_at": "2026-04-06T00:15:49.443784Z", "updated_at": "2026-04-10T13:12:17.305057Z", "deleted_at": null, "sha1_hash": "0afdae01471c6578d558925d7f01e01c9ba0a9c9", "title": "Necro Python Botnet Goes After Vulnerable VisualTools DVR", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1380801, "plain_text": "Necro Python Botnet Goes After Vulnerable VisualTools DVR\r\nBy Paul Kimayong\r\nPublished: 2021-10-11 · Archived: 2026-04-05 23:15:26 UTC\r\nNecro Python Botnet Goes After Vulnerable VisualTools DVR\r\nOctober 11, 2021\r\nIn the last week of September 2021, Juniper Threat Labs detected a new activity from Necro Python (a.k.a N3Cr0m0rPh ,\r\nFreakout, Python.IRCBot) that is actively exploiting some services, including a new exploit added to its arsenal. This new\r\nexploit targets Visual Tools DVR VX16 4.2.28.0 from visual-tools.com (no CVE number is assigned to this vulnerability).\r\nSuccessful exploitation will download the bot into the system and install a Monero miner.\r\nNecro was first discovered in January. The threat actor made a move in March and in May, adding new exploits to its\r\narsenal.\r\nNecro bot is an interesting python bot that has many functions which include the following:\r\nNetwork Sniffer\r\nSpreading by exploits\r\nSpreading by brute-force\r\nUsing Domain Generation Algorithm\r\nInstalling a Windows rootkit\r\nReceiving and executing bot commands\r\nParticipating in DDoS attacks\r\nInfecting HTML, JS, PHP files\r\nInstalling Monero Miner\r\nThe script can run in both Windows and Linux environments. The script has its own polymorphic engine to morph itself\r\nevery execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it\r\nusing a hardcoded key.\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 1 of 8\n\nNecro Python’s polymorphism, before and after\r\nDomain Generation Algorithm\r\nNecro uses DGA for both its CnC and download server. It selects from a list of dynamic DNS services as its domain, e.g.,\r\nddns.net and prefixes that with 10-19 random characters. E.g., ‘3ood3dfcqchro.ddns.net’\r\nThe domains are pseudo-randomly generated using a hardcoded seed, 0xFAFFDED00001, and a counter is added until\r\n0xFD (253 in decimal) before the counter is reset to 0. The seed controls the domain to be generated.  In effect, it can\r\ngenerate up to 253 unique domains.\r\nThis seed is different from the previous campaigns. For instance, the sample used in the March attack used a different seed,\r\n0x7774DEAD.\r\nFrom this list of generated domains, it connects to them one by one to see which one is online. During our analysis, the\r\nfollowing DGA domain was active:\r\ngtmpbeaxruxy[.]myftp.org\r\nimport random\r\ncounter=0\r\nwhile 1:\r\nif counter\u003e=0xFD:\r\ncounter=0\r\ncounter+=1\r\nrandom.seed(a=0xFAFFDED00001 + counter)\r\nDGA_DOMAIN=(''.join(random.choice('abcdefghijklmnopqoasadihcouvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for _\r\nin range(random.randrange(10,19)))).lower()+\".\"+random.choice(['ddns.net', 'ddnsking.com', '3utilities.com',\r\n'bounceme.net', 'freedynamicdns.net', 'freedynamicdns.org', 'gotdns.ch', 'hopto.org', 'myddns.me', 'myftp.biz',\r\n'myftp.org', 'myvnc.com', 'onthewifi.com', 'redirectme.net', 'servebeer.com', 'serveblog.net',\r\n'servecounterstrike.com', 'serveftp.com', 'servegame.com', 'servehalflife.com', 'servehttp.com',\r\n'serveirc.com', 'serveminecraft.net', 'servemp3.com', 'servepics.com', 'servequake.com', 'sytes.net',\r\n'viewdns.net', 'webhop.me', 'zapto.org'])\r\nNecro Python’s Domain Generation Algorithm\r\nBot Commands\r\nNecro connects to the CnC server,  gtmpbeaxruxy.myftp.org, via IRC to receive commands which include the following:\r\nCommand Function\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 2 of 8\n\naddport add port to the scanner\r\ndelport remove port from scanner\r\nports send to server the ports currently scanned\r\ninjectcount send to server the number of files injected\r\nreinject launch function to inject to html, php, js, htm files\r\nscanner stop or launch scanner\r\nsniffer stop or launch sniffer\r\nscannetrange scan a range of IPs\r\nclearscan empty scanner DB\r\nrevshell launch a reverse shell\r\nshell launch a process using subprocess.Popen()\r\nkillknight kill itself\r\nexecute executes a file\r\nkillbyname kill process by name\r\nkillbypid kill process by pid\r\ndisable disable exploitation module\r\nenable enable exploitation module\r\ngetip get current IP\r\nram get information about the memory\r\nupdate update this bot\r\nvisit visit a URL\r\ndlexe download and execute a file\r\ninfo get system information\r\nrepack morph this bot\r\nlogout logout from the server\r\nreconnect reconnect to the server\r\nudpflood UDP flood\r\nsynflood SYN flood\r\ntcpflood TCP flood\r\nslowloris slowloris DDoS attack\r\nhttpflood launch httpflood\r\ntorflood launch DDoS using TOR SOCKS proxies\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 3 of 8\n\nloadamp initialize amplification attack\r\nreflect launch DNS reflection attack\r\nWe have noted a few changes on this bot from the previous version. First, it removed the SMB scanner which was observed\r\nin the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system. Previously, it\r\nused a hardcoded url, ‘ublock-referer[.]dev/campaign.js’ and injects this on the scripts and now it uses the DGA for its url,\r\ni.e., ‘DGA_DOMAIN/campaign.js’. As noted in the previous reports, this bot will find HTML, PHP, JS and HTM files in\r\nthe system and will inject a javascript code in every file. This is an attempt for that attacker to not only compromise the\r\nserver but also clients connecting to it. Using a DGA domain to host the javascript makes it more resilient against defenses.\r\nNecro injects javascript code to html, htm, php and .js files found on the compromised server. It uses the DGA\r\ndomain to host campaign.js\r\nNecro injects javascript code to html, htm, php and .js files found on the compromised server. It uses the DGA domain to\r\nhost campaign.js\r\nWe also noted a change in its TOR Socks proxies. When the bot receives the “torflood” command, it uses a set of TOR\r\nproxies for its DDOS attacks.\r\nNew Tor Proxies\r\n[‘107.150.8.170:9051’, ‘95.217.251.233:1080’, ‘5.130.184.36:9999’, ‘83.234.161.187:9999’, ‘185.186.240.37:9119’,\r\n‘5.61.53.57:9500’, ‘23.237.60.122:9051’, ‘185.82.217.167:9051’, ‘78.153.5.183:666’, ‘51.210.202.187:8425’,\r\n‘85.159.44.163:9050’, ‘217.12.221.85:9051’, ‘130.61.153.38:9050’, ‘142.93.143.155:9010’, ‘8.209.253.198:9000’,\r\n‘127.0.0.1:9050’]\r\nVisual Tools DVR Exploit\r\nAs noted above, this bot added a new exploit to its arsenal. The exploit targets Visual Tools DVR VX16 4.2.28.0. A poc for\r\nthis exploit was made available to the public in July, 2021.\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 4 of 8\n\nHTTP request made to attack Visual Tools DVR\r\nAside from the bot, the payload will install a XMRig Monero miner with the following wallet.\r\n45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2\r\nThe scanner function of the bot scans for the following ports and if available, it launches its attack.\r\nTARGET_PORTS = [22, 80, 443, 8081, 8081, 7001]\r\nJuniper Threat Labs is still seeing this Necromorph exploiting the following vulnerabilities:\r\n1. CVE-2020-15568 – TerraMaster TOS before 4.1.29\r\n2. CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28\r\n3. CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6\r\n4. CVE-2020-28188 – TerraMaster TOS \u003c= 4.2.06\r\n5. CVE-2019-12725 – Zeroshell 3.9.0\r\nDetection\r\nExploits used in this attack are detected by Juniper’s NGFW SRX series.\r\nHTTP:CGI:BASH-CODE-INJECTION\r\nHTTP:CTS:TERRAMASTER-TOS-INJCTN\r\nHTTP:CTS:SCO-OPNSRVR-OS-INJ\r\nHTTP:CTS:GENEXIS-PLAT-RCE\r\nHTTP:CTS:ZEROSHELL-CGI-BIN-RCE\r\nJuniper Advanced Threat Prevention Cloud detects this bot as follows:\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 5 of 8\n\nJuniper Advanced Threat Prevention DNS Security also detects the DGA domain.\r\nIndicators of Compromise\r\nDomains:\r\ngtmpbeaxruxy[.]myftp.org\r\nURLs:\r\nhttps://gtmpbeaxruxy[.]myftp.org/setup.py\r\nhttps://gtmpbeaxruxy[.]myftp.org/setup\r\nhttps://gtmpbeaxruxy[.]myftp.org/xmrig\r\nhttps://gtmpbeaxruxy[.]myftp.org/xmrig1\r\nFiles:\r\nFile Hash File Name\r\nEb4a48a32af138e9444f87c4706e5c03d8dc313fabb7ea88c733ef1be9372899 setup\r\nE524bd7789b82df11891cc2c12af1ac0ea41dd0b946e1e04a4246cb36321f82f setup.py\r\n0e537db39a7be5493750b7805e3a97da9e6dd78a0c7fca282a55a0241803d803 xmrig\r\nF72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7 xmrig1\r\nIP Addresses \u0026 ports:\r\n107[.]150.8.170:9051\r\n130[.]61.153.38:9050\r\n142[.]93.143.155:9010\r\n185[.]186.240.37:9119\r\n185[.]82.217.167:9051\r\n217[.]12.221.85:9051\r\n23[.]237.60.122:9051\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 6 of 8\n\n5[.]130.184.36:9999\r\n5[.]61.53.57:9500\r\n51[.]210.202.187:8425\r\n78[.]153.5.183:666\r\n8[.]209.253.198:9000\r\n83[.]234.161.187:9999\r\n85[.]159.44.163:9050\r\n95[.]217.251.233:1080\r\nRelated posts\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 7 of 8\n\nSource: https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nhttps://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr" ], "report_names": [ "necro-python-botnet-goes-after-vulnerable-visualtools-dvr" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0afdae01471c6578d558925d7f01e01c9ba0a9c9.pdf", "text": "https://archive.orkl.eu/0afdae01471c6578d558925d7f01e01c9ba0a9c9.txt", "img": "https://archive.orkl.eu/0afdae01471c6578d558925d7f01e01c9ba0a9c9.jpg" } }