N3Cr0m0rPh (Malware Family)

N3Cr0m0rPh

aka: FreakOut, Necro

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

References

2021-10-13 ⋅ lacework ⋅ Lacework Labs
“Spytech Necro” – Keksec’s Latest Python Malware
N3Cr0m0rPh

2021-10-11 ⋅ Juniper ⋅ Paul Kimayong
Necro Python Botnet Goes After Vulnerable VisualTools DVR
N3Cr0m0rPh

2021-06-10 ⋅ lacework ⋅ Chris Hall
Keksec & Tsunami-Ryuk
N3Cr0m0rPh

2021-06-04 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
FreakOut malware worms its way into vulnerable VMware servers
N3Cr0m0rPh

2021-06-03 ⋅ Talos ⋅ Caitlin Huey, Kendall McKay, Vanja Svajcer
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
N3Cr0m0rPh

2021-05-15 ⋅ Twitter (@xuy1202) ⋅ YANG XU
Tweet on Necro using hardcoded onion address as a gateway for TOR CC
N3Cr0m0rPh

2021-05-11 ⋅ Twitter (@xuy1202) ⋅ YANG XU
Tweet on necro's new DGA
N3Cr0m0rPh

2021-03-18 ⋅ 360 netlab ⋅ Jinye, YANG XU
Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux
N3Cr0m0rPh Keksec

2021-03-18 ⋅ Github (lacework) ⋅ lacework-labs
DGA and decoder scripts for n3cr0morph IRC malware
N3Cr0m0rPh

2021-03-18 ⋅ lacework ⋅ Chris Hall
The “Kek Security” Network
Kaiten N3Cr0m0rPh

2021-03-04 ⋅ 360 netlab ⋅ Jinye
Gafgtyt_tor and Necro are on the move again
Bashlite N3Cr0m0rPh Keksec

2021-01-22 ⋅ 360 netlab ⋅ Jinye
Necro is going to version 3 and using PyInstaller and DGA
N3Cr0m0rPh

2021-01-21 ⋅ ⋅ Netlab ⋅ Jinye
Necro在频繁升级，新版本开始使用PyInstaller和DGA
N3Cr0m0rPh

2021-01-19 ⋅ Checkpoint ⋅ Omer Ventura, Ori Hamama
FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet
N3Cr0m0rPh

There is no Yara-Signature yet.

N3Cr0m0rPh Propose Change

References

N3Cr0m0rPh