Ongoing ‘FreakOut’ malware attack turns Linux devices into IRC botnet

According to Checkpoint, the “FreakOut” malware attack is exploiting “newest vulnerabilities.” Here’s a full list of its capabilities.

According to Checkpoint, the “FreakOut” malware attack is exploiting “newest vulnerabilities.”

Cybersecurity researchers identify vulnerabilities regularly, some serious, some not. In the latest, researchers from Checkpoint have discovered a range of attacks against Linux devices.

Dubbed FreakOut; the malware attack is being carried out to create an IRC botnet. It is worth noting that an IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel.

Done by a threat actor named “freak;” the botnet in question would allow attackers to perform malicious tasks such as brute-forcing attacks, network sniffing, killing processes, crypto-mining, and DDoS attacks.

Delving into the details, the campaign is not aimed at the masses but chooses a targeted approach in which it only attacks systems running the TerraMaster operating system ZEND framework or Liferay Portal. What’s troubling is that all 3 have a significant number of users globally.

According to researchers, once a device has become a victim, it then becomes a part of the attacking chain which in the words of the researchers, results in “making the attack flow recursive”.

The vulnerabilities targeted by the malware include:

  • CVE-2020-28188 – targeting TerraMaster
  • CVE-2021-3007 – targeting Zend
  • CVE-2020-7961 – targeting Liferay Portal

The attack works in a way that first the threat actor runs certain operating system commands in order to upload a malicious Python script to the victim device. This script is downloaded from gxbrowsernet” and contains polymorphic code.

The page that loaded when directed to the above link. Now, however, it is redirecting to a troll video on YouTube.

Explaining the technicalities, the researchers stated in a blog post that,

Many of the function names remain the same in each download, but there are multiple functions that are obfuscated using random strings generated by a packing function. The first attack trying to download the file was observed on January 8, 2021. Since then, hundreds of download requests from the relevant URL were made.

When we searched for the relevant domain and file in VirusTotal (VT), we found other codes called “”.

These files were uploaded only a few hours before the attacks began, and had low scores of detections by the AVs presented in VirusTotal. All the files originated from the same domain, hxxp://gxbrowsernet, as this address is hardcoded in all scripts and is the only address that appears.

All of this means that the threat actor behind the campaign can launch sophisticated attacks on individuals and institutions causing great damage. For example, by using the infected systems for crypto-mining, their productivity would be significantly compromised resulting in a loss of resources for anyone apart from the obvious data loss at stake.

They can also carry out DDoS attacks and ask for ransom as seen previously where DDoS attacks were being launched with Monero ransom notes. Nevertheless, FreakOut malware is quite sophisticated. Here’s a full list of its capabilities:

  • Handling sockets
  • DDOS and Flooding
  • Sniffing the network
  • Port Scanning utility
  • Opening a reverse-shell
  • Using the “exploit” function
  • Creating and sending packets
  • Collecting system fingerprint
  • Spreading to different devices
  • Killing a process by name or ID
  • Brute Force – using hardcoded credentials
  • Packing and unpacking the code using obfuscation techniques
  • Gaining persistence by adding itself to the rc.local configuration.

To conclude, the campaign is still ongoing therefore those who run any of the aforementioned programs should remain vigilant in order to prevent infection.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts