A newly discovered malware named FreakOut has been actively targeting Linux-based devices. Read on to know more…
Researchers are warning a novel malware variant is targeting Linux devices, in order to add endpoints to a botnet to then be utilized in distributed-denial-of-service (DDoS) attacks and cryptomining. A newly discovered malware named FreakOut has been actively targeting Linux-based devices.
The aim of this malware is to propagate botnet networks for DDoS attacks and cryptomining. Between January 8 and January 13, around 380 attack attempts were observed.
Observations
This new malware comes with a variety of capabilities such as port scanning, information gathering, and data packet and network sniffing. Additionally, each infected device can be used as a remote-controlled attack platform.
“If successfully exploited, each device infected by the FreakOut malware can be used as a remote-controlled attack platform by the threat actors behind the attack, enabling them to target other vulnerable devices to expand their network of infected machines,” said researchers with Check Point Research in a Tuesday analysis.
Initially, the malware targets Linux devices with certain products that have unpatched various flaws and vulnerabilities. Exploited flaws include CVE-2020-28188 (TerraMaster TOS), CVE-2021-3007 (Zend Framework), and CVE-2020-7961 (Liferay Portal). After taking advantage of one of these flaws, attackers upload an obfuscated Python script named out[.]py. Subsequently, the downloaded script is given permissions by using the chmod command.
The attacker attempts to run the downloaded script using Python 2, which reached EOL last year. The script has several capabilities such as port scanning feature, creating and sending packets, system fingerprinting, and brute-force ability by using hard-coded credentials to infect other network devices.
Technicalities
According to a Check Point technical report published, the list of commands that FreakOut bots can run includes the likes of:
• Gathering info on the infected system;
• Creating and sending UDP and TCP packets;
• Executing Telnet brute-force attacks using a list of hardcoded credentials;
• Running a port scan;
• Executing an ARP poisoning attack on the device’s local network;
• Opening a reverse shell on the infected host;
• Killing local processes; and more.
Check Point argues that these functions can be combined to perform various operations, like launching DDoS attacks, installing cryptocurrency miners, turning infected bots into a proxy network, or launching attacks on the internal network of an infected device.
Recent Attacks
In early January, ElectroRAT was used to empty the cryptocurrency wallets of thousands of Windows, Linux, and macOS users. Last month, a Golang-based malware was discovered that targets Windows and Linux servers.
Mitigation
Researchers said that “Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities,”
To protect against FreakOut, researchers recommend Linux device users that utilize TerraMaster TOS, Zend Framework or Liferay Portal make sure they have deployed all patches. “We strongly recommend users check and patch their servers and Linux devices in order to prevent the exploitation of such vulnerabilities by FreakOut,” they said.
Conclusion
Unpatched flaws are always a big security risk and cybercriminals will always tend to take advantage of them. Therefore, experts suggest users always patch their Linux servers and personal devices, use a reliable anti-malware solution, and deploy intrusion prevention systems for better protection.