SYMBOLCOMMON_NAMEaka. SYNONYMS
py.n3cr0m0rph (Back to overview)

N3Cr0m0rPh

aka: FreakOut, Necro

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

References
2021-10-13laceworkLacework Labs
@online{labs:20211013:spytech:1e11e26, author = {Lacework Labs}, title = {{“Spytech Necro” – Keksec’s Latest Python Malware}}, date = {2021-10-13}, organization = {lacework}, url = {https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/}, language = {English}, urldate = {2021-10-25} } “Spytech Necro” – Keksec’s Latest Python Malware
N3Cr0m0rPh
2021-10-11JuniperPaul Kimayong
@online{kimayong:20211011:necro:9b112bd, author = {Paul Kimayong}, title = {{Necro Python Botnet Goes After Vulnerable VisualTools DVR}}, date = {2021-10-11}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr}, language = {English}, urldate = {2021-10-25} } Necro Python Botnet Goes After Vulnerable VisualTools DVR
N3Cr0m0rPh
2021-06-10laceworkChris Hall
@online{hall:20210610:keksec:53918f5, author = {Chris Hall}, title = {{Keksec & Tsunami-Ryuk}}, date = {2021-06-10}, organization = {lacework}, url = {https://www.lacework.com/keksec-tsunami-ryuk/}, language = {English}, urldate = {2021-06-16} } Keksec & Tsunami-Ryuk
N3Cr0m0rPh
2021-06-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20210604:freakout:0ccc055, author = {Sergiu Gatlan}, title = {{FreakOut malware worms its way into vulnerable VMware servers}}, date = {2021-06-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/}, language = {English}, urldate = {2021-06-16} } FreakOut malware worms its way into vulnerable VMware servers
N3Cr0m0rPh
2021-06-03TalosVanja Svajcer, Caitlin Huey, Kendall McKay
@online{svajcer:20210603:necro:acd2fdf, author = {Vanja Svajcer and Caitlin Huey and Kendall McKay}, title = {{Necro Python bot adds new exploits and Tezos mining to its bag of tricks}}, date = {2021-06-03}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html}, language = {English}, urldate = {2021-06-16} } Necro Python bot adds new exploits and Tezos mining to its bag of tricks
N3Cr0m0rPh
2021-05-15Twitter (@xuy1202)YANG XU
@online{xu:20210515:necro:47291da, author = {YANG XU}, title = {{Tweet on Necro using hardcoded onion address as a gateway for TOR CC}}, date = {2021-05-15}, organization = {Twitter (@xuy1202)}, url = {https://twitter.com/xuy1202/status/1393384128456794116}, language = {English}, urldate = {2021-05-25} } Tweet on Necro using hardcoded onion address as a gateway for TOR CC
N3Cr0m0rPh
2021-05-11Twitter (@xuy1202)YANG XU
@online{xu:20210511:necros:d1f186c, author = {YANG XU}, title = {{Tweet on necro's new DGA}}, date = {2021-05-11}, organization = {Twitter (@xuy1202)}, url = {https://twitter.com/xuy1202/status/1392089568384454657}, language = {English}, urldate = {2021-05-13} } Tweet on necro's new DGA
N3Cr0m0rPh
2021-03-18laceworkChris Hall
@online{hall:20210318:kek:94c6e57, author = {Chris Hall}, title = {{The “Kek Security” Network}}, date = {2021-03-18}, organization = {lacework}, url = {https://www.lacework.com/blog/the-kek-security-network/}, language = {English}, urldate = {2023-03-17} } The “Kek Security” Network
Kaiten N3Cr0m0rPh
2021-03-18360 netlabJinye, YANG XU
@online{jinye:20210318:necro:e22f5c1, author = {Jinye and YANG XU}, title = {{Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux}}, date = {2021-03-18}, organization = {360 netlab}, url = {https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/}, language = {English}, urldate = {2021-03-19} } Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux
N3Cr0m0rPh
2021-03-18Github (lacework)lacework-labs
@online{laceworklabs:20210318:dga:9b57724, author = {lacework-labs}, title = {{DGA and decoder scripts for n3cr0morph IRC malware}}, date = {2021-03-18}, organization = {Github (lacework)}, url = {https://github.com/lacework/lacework-labs/tree/master/keksec}, language = {English}, urldate = {2021-03-25} } DGA and decoder scripts for n3cr0morph IRC malware
N3Cr0m0rPh
2021-03-04360 netlabJinye
@online{jinye:20210304:gafgtyttor:ba71f67, author = {Jinye}, title = {{Gafgtyt_tor and Necro are on the move again}}, date = {2021-03-04}, organization = {360 netlab}, url = {https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/}, language = {English}, urldate = {2021-03-06} } Gafgtyt_tor and Necro are on the move again
Bashlite N3Cr0m0rPh
2021-01-21NetlabJinye
@online{jinye:20210121:necropyinstallerdga:895bc13, author = {Jinye}, title = {{Necro在频繁升级,新版本开始使用PyInstaller和DGA}}, date = {2021-01-21}, organization = {Netlab}, url = {https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/}, language = {Chinese}, urldate = {2021-01-25} } Necro在频繁升级,新版本开始使用PyInstaller和DGA
N3Cr0m0rPh
2021-01-19CheckpointOmer Ventura, Ori Hamama
@online{ventura:20210119:freakout:f2db200, author = {Omer Ventura and Ori Hamama}, title = {{FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet}}, date = {2021-01-19}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/}, language = {English}, urldate = {2021-01-21} } FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet
N3Cr0m0rPh

There is no Yara-Signature yet.