In late January, a new botnet campaign was discovered targeting unpatched software running on Linux devices with recent code execution CVEs. Once a device is compromised, the bot downloads and executes a malicious Python script that joins the compromised device to the botnet. The botnet is controlled by attackers using Internet Relay Chat (IRC) and enables the attackers to perform DDoS attacks and run crypto miner software on infected devices. Updates are available to patch all CVEs exploited by FreakOut that will prevent infection.
FreakOut was based on Necromorph botnet code, portions of which have been found on Pastebin or offered for sale or rent on underground forums since 2015. On 19 January 2021, Check Point Research reported the botnet code received an update on 1 January 2021. The botnet code was found on VirusTotal on 7 January 2021 and it was first seen in the wild on 8 January 2021. The code update in early January indicates the botnet is in active development, likely to maintain a low anti-virus detection rate or to update the CVEs used as the initial infection vector.
Looking at the target demographics, most infected hosts reside in the US, with Italy, Great Britain, the Netherlands, and China rounding out the Top 5. Finance and Banking institutions top the targeted industry list with Government and Military, Healthcare, Retail & Wholesale, and Insurance & Legal in the Top 5 affected industries.
The botnet uses three remote code execution CVEs to perform the initial infection of a new victim. CVE-2020-7961, publicly disclosed on 20 March 2020 exploits a flaw in the Liferay Portal CMS, an enterprise web portal system. CVE-2020-28188 was publicly disclosed on 24 December 2020 and exploits the TerraMaster network, which attaches to storage devices. CVE-2021-3007, publicly disclosed on 3 January 2021 exploits the Zend Framework, a PHP web framework. Zend Framework, however, is no longer maintained. The Laminas Project is the successor to Zend Framework and has a patch available. If one of these vulnerabilities is successfully exploited, the victim will download and execute the FreakOut botnet code. All of these vulnerabilities have patches available.
For persistence, FreakOut adds itself to the rc.local file on Linux systems that is executed on system startup after all other system services have started. Initially, the botnet code is downloaded from gxbrowser[.]net which is hardcoded into the botnet’s source code. After that, the victim device joins an Internet Relay Chat server at irc[.]kek[.]org and joins the #update channel where it listens for command and control messages from the botmaster.
The malware has several capabilities. These are designed to give the botmaster the ability to launch additional attacks, such as network sniffing, lateral movement, finding and attacking external victims, and perform DDOS attacks. The interactive shell capability allows the attacker to personally take control of an infected victim to perform any conceivable action he or she wishes.
The threat actor behind the creation of this botnet has gone by several aliases. The earliest alias used in 2015 was Fl0urite, used in a post on HackForums advertising the N3cr0m0rph IRC bot for sale. Freak@populuscontrol is listed in the comments as the author of the current bot code. Additional source code can be found on Pastebin linking the Freak, Fl0urite, and Freak@populuscontrol identities.
At this time, protecting yourself from this botnet is as simple as patching for the CVEs used to gain the initial infection. This will work until the author changes the CVE exploits used. Patches can be found in the following locations:
- CVE-2020-7961 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- CVE-2020-28188 https://forum.terra-master.com/en/viewtopic.php?f=28&t=1136
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/3702558539639477516
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Comments