FreakOut Malware Description
A campaign involving a new malware strain is targeting vulnerable Linux devices. Named FreakOut malware by infosec researchers, the threat is equipped with a wide range of functionalities. Still, its main goal is to add infected devices to a botnet capable of launching DDoS (Distributed Denial of Service) attacks and cryptomining activities. On the compromised Linux devices, the threat can also initiate routines for port scanning and data harvesting. In addition, FreakOut also establishes both a network and data packet sniffing process.
As an entry point, the malware strain exploits vulnerabilities found in three specific Linux products. All three critical issues have either already been addressed in a patch released by the vendor or are planned to be manipulated in the next version update. One of the vulnerabilities is a critical remote command execution flaw (CVE-2020-28188) affecting the popular data storage device vendor TerraMaster TOS (TerraMaster Operating System). The popular collection of library packers Zend Framework also found itself among FreakOut's targets through the CVE-2021-3007 critical deserialization bug. The third vulnerability is the critical deserialization of untrusted data issue (CVE-2020-7961) found in the open-source enterprise portal Liferay Portal.
FreakOut's Attack Chain
After infiltration the target through one of the three vulnerabilities, the attackers proceeded to deliver a Python script fetched from a website located at https://gxbrowser.net. The hackers then grant permissions to the script through the 'chmod' command and try to run it with Python 2. It must be noted that Python 2 reached the End-of-Life phase of its product cycle, so the attackers need their victims to be using a now deprecated product for the whole malicious operation to be carried out.
When fully deployed, the Python script named 'out.py' can perform port scanning, harvesting system details such as device addresses and memory information, and creating and exfiltration of packets. By using hard-coded credentials, the threat can attempt to infect other network devices through a brute-force attack.
Analysis of the Command-and-Control (C2, C&C) infrastructure of the FreakOut campaign revealed that approximately 185 devices have already been compromised.