Skip to main content

FreakOut Botnet

First seen in early January, FreakOut is a Python-based botnet targeting several recent vulnerabilities to propagate.

Threat ID:
CC-3729
Category:
Botnet
Threat Severity:
Medium
Threat Vector:
Exploit
Published:
21 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in early January, FreakOut is a Python-based botnet targeting several recent vulnerabilities to propagate.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Versions: most popular distributions

Linux

Threat details

Introduction

FreakOut (also known as Necro Python and Necromorph) is a newly observed botnet targeting Windows and Linux systems. Written in Python, it uses exploits for several recent vulnerabilities in NAS systems and web applications to propagate.

Propagation & activities

New FreakOut targets are identified using port scanning, with randomly generated IP ranges. It then attempts to gain access to new targets using a combination of brute-force attacks and its embedded exploits, If successful, FreakOut connect to a command and control server before dropping the XMrig cryptocurrency miner on the system. A new instance of its port-scanning utility is initiated, along with a packet sniffer so that FreakOut can perform ARP cache poisoning attacks.

The FreakOut botnet is also sold to third-parties for use in distributed denial-of-service attacks. At the time of publication, it is able to perform SlowLoris attacks as well as DNS, HTTP, and SYN floods.

 

Threat updates

Date Update
9 Jun 2021 FreakOut botnet updated with additional exploits and now targeting Windows systems

Freak Out has been updated with additional exploits enabling it to propagate by targeting the following vulnerable platforms:

  • Genexis PLATINUM 4410 2.1 P4410-V2-1.28
  • Laravel
  • OTRS 6.0.1
  • SCO Openserver 5.0.7
  • SMB vulnerabilities in Windows via versions of EternalBlue and EternalRomance exploits
  • VestaCP 0.9.8
  • VMWare vCenter
  • WebLogic
  • Zend Framework 3.0.0
  • ZeroShell 3.9.0

In addition to targeting Linux-based systems, FreakOut now targets Windows systems, gaining access via the vulnerabilities listed or stolen SSH credentials. It runs a PowerShell script on the exploited system to download and launch the FreakOut payload, along with an accompanying Python distribution. FreakOut achieves persistence by copying the Python distribution executable to USERPROFILE\\$6829.exe and creates a registry value to ensure the FreakOut runs when the user logs into the system. It uses a variant of r77-rootkit to evade detection, which terminates FreakOut if it detects an analysis environment and hides processes and registry values by modifying ntdll.dll functions.

The Linux variant of FreakOut has added a JavaScript based cryptocurrency miner which it downloads by injecting JavaScript code into script-based files. It scans the system for files with HTM, HTML, JS or PHP into which it injects code to download and run a miner loader from a command and control (C2) server. The JavaScript also provides additional functionality to receive commands from the C2 server, enabling it to steal data from the clipboard, log keystrokes and launch denial-of-service attacks on the target. Unlike Linux variants of FreakOut, the Windows variant of does not have cryptocurrency mining functionality.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

  • 3og7wipgh3ruavi7gd6y3uzhcurazasln55hb6hboiavyk6pugkcdpqd[.]onion
  • bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws
  • can6dodp[.]servepics[.]com
  • o4hlcckwlbcy7qhhohqswpqla6wx7c5xmsvk3k4rohknng4nofvgz5id[.]onion
  • p2l44qilgm433bad5gbszb4mluxuejwkjaaon767m5dzuuc7mjqhcead[.]onion
  • pool[.]supportxmr[.]com - 45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonhgH
  • q2p4b6pprex5mvzxm2xdqgo4q3hy2p4if2ljq7fcoavxvab7mpk232id[.]onion
  • rx[.]unmineable[.]com - XTZ:tz1NfDViBuZwi31WHwmJ4PtSsVtNX2yLnhG7
  • ublock-referer[.]dev

Port numbers

  • 587
  • 5870
  • 6697
  • 42066
  • 52566

URLs

  • http[:]//bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws/setup.py
  • http[:]//bp65pce2vsk7wpvy2fyehel25ovw4v7nve3lknwzta7gtiuy6jm7l4yd[.]onion[.]ws/py.exe
  • http[:]//can6dodp[.]servepics[.]com/setup.py
  • http[:]//can6dodp[.]servepics[.]com/setup
  • http[:]//can6dodp[.]servepics[.]com/py.exe
  • http[:]//can6dodp[.]servepics[.]com/xmrig
  • http[:]//can6dodp[.]servepics[.]com/xmrig1
  • https://cloud-miner[.]de/tkefrep/tkefrep[.]js?tkefrep=bs?nosaj=faster.xmr2
  • http[:]//ngiwge486ln9daoo[.]hopto[.]org/setup.py
  • http[:]//ngiwge486ln9daoo[.]hopto[.]org/py.exe
Host indicators

Filenames

  • campaign.js
  • setup.py

SHA256 hashes

  • 19269ce9a0a44aca9d6b2deed7de71cf576ac611787c2af46819ca2aff44ce2a
  • 19c25ce4302050aec3c921dd5cac546e8200a7e951d570b52fe344c421105ea8
  • 2b77b93b8e1b8ef8650957d15aaf336cf70a7df184da060f86b9892c54eefb65
  • 606258f10519be325c39900504e50d79e551c7a9399efb9b22a7323da3f6aa7a
  • 80659cc37cb7fb831866f7d7b0043edc6918a99590bd9122815e18abb68daa35
  • 8130717a3d4053e2924a0393086511a41fc7777c045b45bb4f569bcbe69af8be
  • 8797ce228b32d890773d5dbac71cefa505b788cc8b25929be9832db422d8239b
  • 97ab2092f6b5b1986536a5ba45e487f19c97f52544ff494d43bb1baf31248924
  • 9ac075ee8e97c06feaa2e9e46e9e27bfbf69337fb3be9fd3f9478be0e06a6db5
  • 9d6171cf28b5a3572587140ef483739a185895ce2b5af3246a78c2c39beed7b8
  • a8bb386fa3a6791e72f5ec6f1dc26359b00d0ee8cb0ce866f452b7fff6dbb319
  • bc2126c03f2242013f58b43eb91351fba15d300385252423c52a5b18ece6a54f
  • c3fe8058ab46bd21d22f920960caae1f3b22a7aeba8d5315fb62461f4e989a7d
  • c3fe8058ab46bd21d22f920960caae1f3b22a7aeba8d5315fb62461f4e989a7d
  • d58c3694832812bc168834e2b8b3bfcb92f85a9d4523140ad010497baabc2c3d
  • d6403b9c069f08939fc2f9669dc7d5165ed66a1cae07788c3b27fffb30e890a0
  • d65e874b247dda9845661734d9e74b921f700983fd46c3626a3197f08a3006bf
  • e884bd4015d1b97227074bcf6cb9e8134b7afcfb6a3db758ca4654088403430a
  • eb8b08e13aba16bd5f0d7c330493be82941210d3a6aa4856858df770f77b747d

CVE Vulnerabilities

Status Published

CVE-2017-0144

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Status Published

CVE-2017-0145

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
Status Published

CVE-2017-16921

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Status Published

CVE-2019-12725

Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Status Published

CVE-2020-7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Status Published

CVE-2020-14882

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Status Published

CVE-2020-25494

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.
Status Published

CVE-2020-28188

Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Status Published

CVE-2020-35665

An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
Status Published

CVE-2021-3007

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
Status Published

CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Status Published

CVE-2021-21972

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Status Published

CVE-2021-29003

Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.

Last edited: 9 June 2021 2:19 pm