Old ‘Necro Python’ Bot Upgraded With Monero Mining and 10 New Exploits

Last updated September 20, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The malware authors known as ‘Necro Python’ have upgraded their attack tool with Monero mining and ten new exploits against VMWare vSphere, SCO OpenServer, Vesta Control Panel, and SMB. Moreover, the hackers behind the campaign that deploys the latest version of ‘Necro Python’ have updated the command and control infrastructure, so the whole operation around the particular malware has been refreshed.

The ‘Necro Python’ bot first appeared online in 2015, but its activity has spiked again since January 2021. The infection process starts with scanning and exploiting one of the hard-coded vulnerabilities, which cover both Windows and Linux OS and apps. The communication with C2 takes place through IRC, and the bot is also capable of launching DDoS attacks, sniff network data, or exfiltrate information from the infected machine.

A notable new part of the code has to do with the XMRig program, which mines Monero, a privacy-focused cryptocurrency. XMRig is only used on Linux-based systems, while Windows victims will get a JavaScript-injection into .htm, .html, .js and .php files. Whenever the user opens the infected application, the miner will run within the browser’s process space, making money for the hackers at the expense of the victim’s system resources and internet data.

Source: Cisco Talos

The exploitation commands are the following:

The backdoor commands of the new ‘Necro Python’ bot have been determined to be the following:

According to Cisco Talos researchers who have the detailed report, the latest exploits and spike in the ‘Necro Python’ bot activity came in May, so it looks like the actors will continue the pushing for now. The main focus remains the mining of Monero, but as long as information stealing is included in the scope, a lot more can happen through the malware. That’s especially the case if the author opens access to the bot through a MaaS program when they are confident enough.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: