FreakOut malware exploits critical bugs to infect Linux hosts

An active malicious campaign is currently targeting Linux devices running software with critical vulnerabilities that is powering network-attached storage (NAS) devices or for developing web applications and portals.

The purpose is to infect machines with vulnerable versions of the popular TerraMaster operating system, the Zend Framework (Laminas Project), or Liferay Portal with FreakOut malware, which can help deploy a wide variety of cyberattacks.

Hitting unpatched Linux systems

The common ground for all three software solutions targeted in the ongoing FreakOut campaign is that they all have a large user base and have fixed critical issues recently. However, proof of concept exploit code exists for all of them and is easy to find.

Zend Framework is a collection of professional PHP packages that touts over 570 million installations. Version 3.0.0, though, is has a critical bug (CVE-2021-3007) that could be exploited to achieve remote code execution.

Liferay Portal is a platform for Java developers to build services, user interfaces, custom applications, or to implement ready-made ones. The open-source Community Edition version before 7.2.1 has critical vulnerability (CVE-2020-7961) that allows remote execution of arbitrary code.

TerraMaster is the operating system powering the NAS devices with the same name. Versions 4.2.06 and below suffer from a remote command execution bug (CVE-2020-28188, also critical severity) that allows complete control of the device.

Creating a botnet

Security researchers at Check Point discovered the FreakOut attacks and say that infected Linux devices join a botnet that could help deploy other cyberattacks. They say that the controller could use the infected machines to mine for cryptocurrency, to spread laterally across a company network, or to aim at other targets while masquerading as the compromised company.

FreakOut malware is new on the scene and can serve for port scanning, collect information, network sniffing, or to launch distributed denial-of-service (DDoS) attacks.

The infection chain starts with exploiting one of the three critical vulnerabilities and continues with uploading a Python script ( on the compromised machine.

The attacker tries to run the script using Python 2, which reached end of life in 2020. Check Point believes that this is an indication of the threat actor assuming that the compromised machine is outdated and still has Python 2 installed.

Check Point discovered the attack on January 8, 2021, when they noticed the malicious script being downloaded from hxxp://gxbrowser[.]net. Since then the researchers observed hundreds of attempts to download the code.

Author leaves calling card in comments

Digging deeper, the researchers found earlier versions of the FreakOut Python script. One variant, which included comments and even the name of the developer – Freak, had been updated on the first day of the year.

The researchers say that comparing the two Python scripts and the comments helped them learn about what it can do, who made it, the IRC-based communication method.

In a technical report today, Check Point provides a large list of the FreakOut malware capabilities along with details about the author and the infected systems.

When analyzing the malware, the researchers discovered the credentials for the IRC channel used to send commands to the infected hosts. They found that the IRC server had been created in late November 2020 and had been running with 300 users and five channels.

The most active channel, #update, showed 186 compromised devices replying to the server.

The search for the malware author started from the Freak name found in the Python script and the IRC bot name “N3Cr0m0rPh.” These clues led to a user named “Fl0urite,” who had advertised an IRC bot on a hacker forum back in 2015.

While there are differences between the current version and the older one from 2015, there are many similar capabilities, say Check Point researchers.

Looking for more clues about the identity of the malware author, the researchers discovered a modified Darkcomet code on Pastebin from January 12, 2021, that lists Fl0urite/Freak as the author.

FrakOut botnet is still in the early stages and its current task is to deploy the XMRig cryptocurrency miner on infected hosts. However, Check Point warns that the botnet grew significantly in a short period and highlights that the other capabilities of the malware could be used for more damaging attacks.

NOTE:: This article is copyright by and we are using it for educational or Information purpose only

Best Cyber Security Products & Solutions