Posted on Leave a comment

Don’t “Freakout”, A Malware Exploiting 3 Different vulnerabilities to Create an IRC Bot network.

Checkpoint researchers had identified a malware dubbed “Freakout” which is exploiting three different vulnerabilities to compromise the target to create an IRC Botnet.

Researchers from Checkpoint had identified a new python based malware “Freakout which exploits several vulnerabilities that were recently released. The major goal behind this attacks was to create a group of compromised machines(botnet) that can be used for various malicious activities such as DDOS, Cryptomining,etc.

Freakout tries to attack different types of vulnerabilities like CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961 on products like TerraMaster TOS(TerraMaster Operating System), Zend Framework,Liferay Portal  which allows the attacker to upload and execute the malicious python scripts on the victim machine

The attack flow of the campaign

The attack flow of the campaign. Source: Checkpoint

“The malware, downloaded from the site https://gxbrowser[.]net, is an obfuscated Python script consisting of polymorphic code. Many of the function names remain the same in each download, but there are multiple functions that are obfuscated using random strings generated by a packing function. The first attack trying to download the file was observed on January 8, 2021. Since then, hundreds of download requests from the relevant URL were made.” stated in the research paper.

Researchers has also listed its capabilities as described below :

1.Port Scanning utility

2. Ability to collect system fingerprint-MAC, IP, Memore information, Terramaster TOS version.

3. Creating and sending packets for using Tcp, UDP protocols and other application protocols like HTTP, DNS, SSDP and SNMP.

4. Brute forcing ability using its hardcoded credentials on network devices over Telnet protocol. Successfull connection’s credentials will be sent to C2 servers.

5. Ability to handle sockets for multiple simultaneous connections along with sniffing ability.

6. Spreading itself to different devices by randomly generating the IP’s for the attack on 3 different vulnerabilities as said above.

7. Attain persistence to the linux machines by adding itself to rc.local configuration file.

8. DDos support using different protocols such as HTTP, Syn and DNS packets.

9. Opening a reverse shell and the ability to kill the process by a name or by “id”

10. Packing and upacking the codes using the obfuscation techniques on variables and functions.

Researchers have concluded that “The threat actor behind the attack, named “Freak”, managed to infect many devices in a short period of time, and incorporated them into a botnet, which in turn is used for DDoS attacks and crypto-mining. Such attack campaigns highlight the importance of taking sufficient precautions and updating your security protections on a regular basis.” on their research paper.

The researchers have also released the IOC which can be incorporated for monitoring :

  • hxxp://gxbrowser[.]net
  • 7c7273d0ac2aaba3116c3021530c1c868dc848b6fdd2aafa1deecac216131779 – out.py (less obfuscated)
  • 05908f2a1325c130e3a877a32dfdf1c9596d156d031d0eaa54473fe342206a65 – out.py (more obfuscated)
  • ac4f2e74a7b90b772afb920f10b789415355451c79b3ed359ccad1976c1857a8 – out.py (including the xmrig1 installation)
  • ac6818140883e0f8bf5cef9b5f965861ff64cebfe181ff025e1f0aee9c72506cOut – xmrig1

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply