FreakOut botnet target 3 recent flaws to compromise Linux devices

Pierluigi Paganini January 19, 2021

Security researchers uncovered a series of attacks conducted by the FreakOut botnet that leveraged recently discovered vulnerabilities.

Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that is targeting multiple unpatched flaws in applications running on top of Linux systems.

The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the target systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaigns.

The attacks observed by Check Point aimed at devices that run one of the following products:

  • TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
  • Zend Framework –  a collection of packages used in building web application and services using PHP, with more than 570 million installations
  • Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites

Once infected a device, it will be later used as an attacking platform.

FreakOut botnet

Botnet operators are scanning the internet for vulnerable applications affected by one of the recently disclosed vulnerabilities and take over the underlying Linux system:

  • CVE-2020-28188 – RCE flaw that resides in the TerraMaster management panel (disclosed on December 24, 2020) – This flaw could be exploited by a remote unauthenticated attacker to inject OS commands, and gain control of the servers using TerraMaster TOS (versions prior to  4.2.06).
  • CVE-2021-3007 – deserialization flaw that affects the Zend Framework (disclosed on January 3, 2021). The flaw affects Zend Framework versions higher than 3.0.0, the attacker can abuse the Zend3 feature that loads classes from objects to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
  • CVE-2020-7961 – Java unmarshalling flaw via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2) (disclosed on March 20, 2020). An attacker can exploit the flaw to provide a malicious object, that when unmarshalled, allows remote code execution.

“In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “out.py”.” reads the analysis published by Check Point. “After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”

The bot is an obfuscated Python script downloaded from the site https://gxbrowser[.]net consisting of polymorphic code.

The FreakOut botnet has a modular structure, it uses a specific function for each capability it supports. Below a list of functions implemented in the botnet:

  • Port Scanning utility
  • Collecting system fingerprint
    • Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks
    • TerraMaster TOS version of the system
  • Creating and sending packets
    • ARP poisoning for Man-in-the-Middle attacks.
    • Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP
    • Protocol packing support created by the attacker.
  • Brute Force – using hard coded credentials 
    • With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server
  • Handling sockets
    • Includes handling exceptions of runtime errors.
    • Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server
  • Sniffing the network
    • Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server
  • Spreading to different devices, using the “exploit” function.
    • Randomly generates the IPs to attack
    • Exploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)
  • Gaining persistence by adding itself to the rc.local configuration.
  • DDOS and Flooding – HTTP, DNS, SYN
    • Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the purpose of instigating a DDoS attack
  • Opening a reverse-shell – shell on the client
  • Killing a process by name or ID
  • Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables.

The botnet could conduct multiple malicious activities by combining the above functions, such as delivering a cryptocurrency miners, launching DDoS, ot spreading laterally across the company network.

Check Point researchers analyzed the malicious code and were able to access the IRC channel used by the botmaster to control the botnet.

The botnet is in an early stage, at the time of the analysis, the IRC panel shows it was controlling only 188 bots.

Check Point experts were also able to track its author, who goes online with the moniker Freak.

“To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media.  Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.” continues the analysis.

“In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC).”

The analysis published by the experts includes the MITRE ATT&CK TECHNIQUES and protections (IoCs, IPS, and Anti-Bot).

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FreakOut botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment