The new Linux malware FreakOut is adding an infected device to a botnet capable of launching DDoS attacks and mining Monero using the power of its victims. The malicious program enters the system by leveraging critical vulnerabilities for which patches have already been released.

The first FreakOut attacks were discovered on January 8th. In less than a week, Check Point Software Technologies experts counted over 380 exploit attempts against their customers - mainly in the United States (27%) and Western Europe (24%). Most often, the malware attacked financial organizations, government agencies and medical institutions.

It was found that three vulnerabilities are used to deliver new bots, allowing remote execution of malicious code (all of them received 9.8 scores according to CVSS):

• CVE-2020-28188 - the ability to inject commands into TOS, an operating system from the TerraMaster NAS vendor;

• CVE-2021-3007 - deserialization of untrusted data in Zend Framework, a popular set of libraries for building web applications;

• CVE-2020-7961 - deserialization of untrusted data in Liferay Portal, an open source CMS system used to create websites and portals.

If the exploit is successfully used, a Python script is loaded into the system from a third-party server - an IRC bot with wide capabilities. It is capable of performing with the commands port scans, information gathering, creation and sending of data packets, conducting network sniffing, create and launch a flood type DDoS, mining cryptocurrency using the XMRig miner. The malware can also spread to other devices over the network and attack targets outside of it using all the same exploits.

The FreakOut C&C server address is hardcoded into its code. On this server, experts found records indicating that 185 Linux devices were hacked. TerraMaster was going to patch TOS by releasing version 4.2.07 - it was released early last month. An update for Liferay Portal (7.2.1) is also available now. The Zend Framework project is no longer supported, users are encouraged to install a patch made by the Laminas Project contributors.

Source: anti-malware.ru