freakout attacker

FreakOut botnet analysis

Introduction

Recently, Check Point researchers discovered a series of attacks related to the FreakOut botnet, mainly targeting unfixed vulnerabilities in applications running on systems.

The botnet first appeared in November 2020, and some of the latest vulnerabilities were used in some attacks to inject operating system commands. The main goal of the attack is to invade the system to create an IRC botnet, and then use the botnet to perform other malicious activities, such as DDOS attacks and mining.

FreakOut infection chain

clip_image001

Figure FreakOut attack flow diagram

The attack exploited three newly discovered vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961. Attackers can use these vulnerabilities to upload and execute python scripts on the compromised server.

CVE-2020-28188

The is that the “event” parameter in the “makecvs” PHP page (/include/makecvs.php) lacks input validation. Unauthorized remote attackers can use this vulnerability to inject operating system commands and gain control of the server.

clip_image002

Figure Attacks using the CVE-2020-28188

CVE-2021-3007

The is caused by unsafe object deserialization. In Zend Framework 3.0.0 and later, attackers abuse the feature of Zend3 to load classes from objects to upload and execute malicious code on the server. The code can be uploaded using the “callback” parameter and insert malicious code.

clip_image003

Figure Attack using CVE-2021-3007

CVE-2020-7961

The vulnerability is a Java deserialization vulnerability in Liferay Portal. Attackers can use this vulnerability to provide a malicious object, which can realize remote code execution during deserialization.

clip_image004

Figure Attack using CVE-2020-7961

Vulnerability impact

The vulnerability affects the following products:

· TerraMaster operating system: the operating system used to manage TerraMaster NAS devices;

· Zend framework: web applications and service packs built with PHP, installed more than 570 million times;

· Liferay Portal: A free and open source enterprise gateway, a web application platform written in Java, which can provide some features for website and gateway development.

clip_image005

Botnet function

The FreakOut botnet has a modular structure and uses specific functions for each supported function. The functions of the botnet include:

· Port Scanning Tool

· Collect system fingerprints, including device address, memory information, and system version of TerraMaster operating system, etc.;

· Create and send packages:

· ARP poisoning for man-in-the-middle attacks;

· Support UDP and TCP packets, and support HTTP, DNS, SSDP, SNMP and other application layer protocols;

· Brute force cracking, using hard-coded credentials;

· Handling runtime error exception packages;

* Sniff network: function to perform ARP poisoning

· Use utilization functions to spread to other devices;

· Add yourself to the rc.local configuration to get residency;

· Launch DDOS and flooding attacks;

· Open the reverse shell of the client;

· Kill the process by name or id.

IOCs

hxxp://gxbrowser.net

7c7273d0ac2aaba3116c3021530c1c868dc848b6fdd2aafa1deecac216131779
05908f2a1325c130e3a877a32dfdf1c9596d156d031d0eaa54473fe342206a65
ac4f2e74a7b90b772afb920f10b789415355451c79b3ed359ccad1976c1857a8
ac6818140883e0f8bf5cef9b5f965861ff64cebfe181ff025e1f0aee9c72506c
f0b15e56c1285a336d6762d63481d1db7efad435
c7f0dd9a96e3eef579f4b6b9e84e746546bcb574
3638cad5d7e2be07f63b97a751797298
5fa8a8fd231ea2057c383acaa43eae64