A new dangerous “Freakout” alias malware campaign has just targeted unpatched Linux workstations that handle Network Attached Storage (NAS) and run some PHP- and Java-listed Web application frameworks.
FreakOut Botnet reappeared for the first time in November 2020 with a fresh range of attacks in January 2021. This malware targets the data storage units of TerraMaster and the web apps built on top of the Zend PHP framework along with the websites running the Liferay portal content management system.
This Pythons-based multi-platform malware that has previously targeted Windows and Linux systems has been updated to make it to internet-exposed VMware vCenter servers that are unpatched against a vulnerability in remote code execution.
This vulnerability in the VMware vCenter plug-in (CVE-2021-21972) for vRealize Operations (vROps) is very noteworthy since it affects the standard installation of the vCenter Server. As revealed by Shodan and BinaryEdge, thousands of unpatched vCenter servers are currently accessible via the Internet.
FreakOut spreads to an IRC botnet managed by masters, exploiting a widespread variety of OS and apps vulnerabilities and demanding passwords over SSH. The key malware features allow operators to launch DDoS attacks, backdoor affected devices, network traffic sniff and steal data, and deploy XMRig miners to mine for Monero.
“Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notable vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,” Cisco Talos security researcher Vanja Svajcer said.
While the programmers of FreakOut are striving since early May to move a step forward in the malware spreading capabilities, when the activity of the botnet unexpectedly skyrocketed, to improve virus spreads.
FreakOut bots scan for new systems, either by generating network ranges arbitrarily or by using the instructions of its masters which are communicated to IRC via the control server. The bot tries to use one of the integrated vulnerabilities or log in to a hard-coded list of SSH passwords for every IP address in the lists of scans.
VMware vulnerabilities in ransomware attacks on business networks were also exploited in the past. As disclosed by Cisco Talos, FreakOut operators also showed that they have been constantly experimenting with different malicious loads using bespoke ransomware.
“Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems,” Svajcer added.
“Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.