'FreakOut' Botnet Targets Unpatched Linux SystemsResearchers Says Malicious Network Could Be Used to Launch DDoS Attacks
Researchers at Check Point Research are tracking a new botnet dubbed "FreakOut” that’s targeting vulnerabilities in Linux systems.
The goal behind the botnet's attacks, researchers say, is to create an IRC botnet - a collection of machines infected with malware that can be remotely controlled - that then can be used for malicious activities, such as launching distributed denial-of-service attacks or cryptomining (see: Monero Mining Botnet Targets PostgreSQL Database Servers ).
The FreakOut botnet is targeting Linux-based systems that include the TerraMaster operating system, which manages TerraMaster network-attached storage servers; the Zend framework, designed to build web application services using PHP; and Liferay Portal, a web application platform that enables users to create portals and websites.
Each of these open-source systems has a vulnerability that the FreakOut botnet attempts to exploit, the researchers say. In the TerraMaster OS, the remote code execution flaw is tracked as CVE-2020-28188. The Zend framework deserialization bug is listed as CVE-2021-3007. And the deserialization vulnerability within the Liferay Portal is CVE-2020-7961.
Researchers urge users to patch these flaws to keep their devices from being recruited into the botnet army.
The Check Point team notes that the command-and-control server associated with the FreakOut botnet, first activated in November 2020, has targeted several hundred vulnerable devices, mainly in North America and Western Europe.
The botnet operators have been mass-scanning for vulnerable Linux devices to find fresh victims, the researchers say.
How FreakOut Works
The Check Point report notes that once the FreakOut malware finds and exploits a vulnerability, it downloads a Python script that creates a channel between the compromised system and the command-and-control server.
Once the system is infected, the botnet can:
- Scan ports;
- Collect device information, including the MAC address and memory information;
- Create and send packs, which can be utilized for man-in-the-middle attacks;
- Deploy brute-force attacks that attempt to infect other devices within the network;
- Gain persistence by adding itself to the rc.local configuration;
- Kill a process by name or ID;
- Pack and unpack code using obfuscation techniques to provide random names to functions and variables.
These functions enable the botnet to launch a DDoS attack or plant cryptomining malware, according to the report.
Check Point says it used social media and GitHub to trace the development of FreakOut to an underground operator named "Freak." The researchers also found that the code of the new botnet appears to be based on a separate botnet called "N3Cr0m0rPh," which has been offered for sale or rent on underground forums since 2015.
Over the last several months, researchers have been tracking a number of new botnets that target Linux systems.
In December 2020, Palo Alto Networks Unit 42 published a report on PGMiner, which is targeting vulnerable PostgreSQL database servers to illegally mine for monero (see: Monero Mining Botnet Targets PostgreSQL Database Servers).
A November 2020 report by analysts at Intezer Labs found that the latest Linux version of the Stantinko botnet is designed to disguise the malware as an Apache server to help better avoid security tools and remain hidden (see: Linux Botnet Disguises Itself as Apache Server).