freakout attacker

FreakOut botnet analysis


Recently, Check Point researchers discovered a series of attacks related to the FreakOut botnet, mainly targeting unfixed vulnerabilities in applications running on systems.

The botnet first appeared in November 2020, and some of the latest vulnerabilities were used in some attacks to inject operating system commands. The main goal of the attack is to invade the system to create an IRC botnet, and then use the botnet to perform other malicious activities, such as DDOS attacks and mining.

FreakOut infection chain


Figure FreakOut attack flow diagram

The attack exploited three newly discovered vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961. Attackers can use these vulnerabilities to upload and execute python scripts on the compromised server.


The is that the “event” parameter in the “makecvs” PHP page (/include/makecvs.php) lacks input validation. Unauthorized remote attackers can use this vulnerability to inject operating system commands and gain control of the server.


Figure Attacks using the CVE-2020-28188


The is caused by unsafe object deserialization. In Zend Framework 3.0.0 and later, attackers abuse the feature of Zend3 to load classes from objects to upload and execute malicious code on the server. The code can be uploaded using the “callback” parameter and insert malicious code.


Figure Attack using CVE-2021-3007


The vulnerability is a Java deserialization vulnerability in Liferay Portal. Attackers can use this vulnerability to provide a malicious object, which can realize remote code execution during deserialization.


Figure Attack using CVE-2020-7961

Vulnerability impact

The vulnerability affects the following products:

· TerraMaster operating system: the operating system used to manage TerraMaster NAS devices;

· Zend framework: web applications and service packs built with PHP, installed more than 570 million times;

· Liferay Portal: A free and open source enterprise gateway, a web application platform written in Java, which can provide some features for website and gateway development.


Botnet function

The FreakOut botnet has a modular structure and uses specific functions for each supported function. The functions of the botnet include:

· Port Scanning Tool

· Collect system fingerprints, including device address, memory information, and system version of TerraMaster operating system, etc.;

· Create and send packages:

· ARP poisoning for man-in-the-middle attacks;

· Support UDP and TCP packets, and support HTTP, DNS, SSDP, SNMP and other application layer protocols;

· Brute force cracking, using hard-coded credentials;

· Handling runtime error exception packages;

* Sniff network: function to perform ARP poisoning

· Use utilization functions to spread to other devices;

· Add yourself to the rc.local configuration to get residency;

· Launch DDOS and flooding attacks;

· Open the reverse shell of the client;

· Kill the process by name or id.