Researchers at CheckPoint have discovered a new botnet, called FreakOut, that exploits not one but three known software vulnerabilities to infect Linux systems. With TrickBot managing to create enough of a problem that big tech and law enforcement have moved to shut it down, with varying levels of success, a new contender may rise to fill a void. It is early days for FreakOut, and while the malware looks to spread to new devices and drop cryptomining malware if users don’t patch the impacted products more dangerous malware maybe soon to follow.
Researchers discovered an active campaign on January 8, 2021, when they noticed the malicious script being downloaded from hxxp://gxbrowser[.]net. Since then, the researchers observed hundreds of attempts to download the code. The purpose of the attack is to infect machines with vulnerable versions of the popular TerraMaster operating system, the Zend Framework (Laminas Project), or Liferay Portal. While later versions of the malware are being used to drop an XMRig miner, due to the level of control granted to the attackers' other malware strains can be dropped just as easily. As to the vulnerabilities exploited by the attackers, they all have large user bases, have been patched, and have proof-of-concept exploit code easily available online.
CVE-2021-3007 is a bug that affects the popular Zend Framework that provides users with professional PHP packages and boasts over 570 million downloads. The bug itself, if correctly exploited, allows for remote code execution. The second bug, CVE-2020-28188 is a bug that impacts the TerraMaster operating system used in the NAS devices of the same name.
The bug was deemed critical and allows for remote code execution that could result in complete control of the device. Lastly, CVE-2020-7961 impact LifeRay Portal, a popular platform that allows Java developers to build services, user interfaces, custom applications, or to implement ready-made ones. The bug in question impacts the open-source community edition and allows for the execution of arbitrary code.
An important function of any modern botnet will be the ability to spread laterally across a network so that more vulnerable devices can be infected. In simple terms, a botnet is a collection of infected devices used to carry out several scams and cyberattacks. Botnets are used to send out millions of spam emails or emails tailored to phish for credentials. They have also been used to spread some of the world's more prominent ransomware strains and are used to carry out DDoS attacks. Due to their inherent usefulness botnet creators will often rent out their creations to others or partner with other malware gangs to unlock extra revenue sources. The more devices that are under the attackers' control acts as a sales pitch for the creator. One of the favored methods of creating a large botnet is to spread laterally.
FreakOut does this by first infecting a Linux machine using one or a combination of the above-mentioned vulnerabilities then a Python script is run. The script is written in Python 2, which reached end of life status towards the end of 2020. Researchers believe that using Python 2, the attackers are assuming that the malware will target systems that are out of date, still, have Python 2 installed, and likely never patched any of the vulnerabilities targeted by the malware. The malware will then look for other vulnerable machines connected to the network then spread to those and begin the infection routine once again. Once the Python script is initialized the malware will drop the crypto miner and begin communications with the attacker’s command-and-control server. Check Point provided a comprehensive list of all the malware's capabilities, which include:
- Port Scanning utility
Collecting system fingerprint
Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks
TerraMaster TOS version of the system
- Creating and sending packets
ARP poisoning for Man-in-the-Middle attacks.
Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP
Protocol packing support created by the attacker.
- Brute Force – using hardcoded credentials
With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server
- Handling sockets
Includes handling exceptions of runtime errors.
Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server
- Sniffing the network
Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server
Spreading to different devices, using the “exploit” function.
Randomly generates the IPs to attack
Exploits the CVEs mentioned above (CVE-2020-7961, CVE-2020-28188, CVE-2021-3007)
- Gaining persistence by adding itself to the rc.local configuration.
- DDOS and Flooding – HTTP, DNS, SYN
Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address to instigate a DDoS attack
- Opening a reverse-shell – shell on the client
- Killing a process by name or ID
- Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables.
Given that the malware is dependent on exploiting known and patched vulnerabilities, those who use any of the above-mentioned software packages are advised to ensure the latest updates have been downloaded and installed. While the FreakOut botnet is still in the early stages of its life cycle researchers warned the botnet grew significantly in a short period and highlights that the other capabilities of the malware could be used for more damaging attacks. As to who might be behind the malware Check Point researchers made an interesting discovery, noting,
“In early 2015 codes found on Pastebin, that were uploaded by the user “Keksec”, there seems to be a link between the two identities “Fl0urite” and “Freak” in several files. In addition, there is a link to the user “Fl0urite” on HackForums in these files signed by “Freak.” The other files uploaded by the user are signed with the exact string “Freak@PopulusControl (aka sudoer)” that seems to be associated with the malware functions as well. Based on this evidence, we conclude that both identities belong to the same person…The page [a URL believed to be owned by the malware’s creator] has the names “keksec” and “Freak” which were observed in the Pastebin files, and is also associated with the name “Keknet” seen in the IRC server. Currently, it seems that “Freak” is using it to create a botnet.”
Why do hackers target Linux?
For a long period malware targeting Linux, and UNIX-based operating systems were rare. Many considered this was down to Windows having the greatest market share. It made far more sense for hackers to target Windows machines as there were simply more potential victims out there. Since about 2016 a new trend became apparent as reported instances of Linux and Mac-specific malware were on the rise. One of the reasons for this is that Linux allows users a greater level of control via its command-line interface. True, command-line interfaces are nothing to look at and for the uninitiated impossible to use but once you have an understanding you have much greater control over how the OS operates.
The other reason is that over the years Linux has enjoyed substantial growth in popularity. In general, it was only developers stuck in server rooms and configuring networks that shouted out the virtues of Linux. Now with a host of easier-to-use graphical user interfaces available to the public Linux has steadily become the favored OS of many. This likewise provides more opportunity for hackers and as more and more organizations adopt Linux, especially for creating networks the target area again grew for hackers to take advantage of. Both the level of control Linux offers and its increased popularity go a long way to explain why hackers target Linux machines.