According to Juniper Threat Labs, the new Necro Python exploits targets’ Visual Tool DVRs used in surveillance systems. The Necro botnet was developed by the threat group FreakOut and has reportedly learned a new trick that consists of infecting the Visual Tool DVRs with a Monero crypto miner. In late September, Juniper Threat Labs noticed that the botnets started to target Visual Tools DVR VX16 4.2.28.0 models with crypto-mining attacks. These devices are typically deployed as part of a professional-quality surveillance system.
Last July, a command injection vulnerability was found in the same devices. Visual Tools has not responded to requests for comments. FreakOut has been active since at least last January, exploiting recently identified and unpatched vulnerabilities to launch distributed denial-of-service and crypto-mining attacks. The threat actors behind the botnet have developed several iterations of Necro, continuing to make steady improvements in performance and persistence over the past several months.