Linux Devices Under Attack by New FreakOut Malware

The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks.

Researchers are warning a novel malware variant is targeting Linux devices, in order to add endpoints to a botnet to then be utilized in distributed-denial-of-service (DDoS)  attacks and cryptomining.

The malware variant, called FreakOut, has a variety of capabilities. Those include port scanning, information gathering and data packet and network sniffing. It is actively adding infected Linux devices to a botnet, and has the ability to launch DDoS and network flooding attacks, as well as cryptomining activity.

Supply-Chain Security: A 10-Point Audit

Click to Register – New Browser Tab Opens

“If successfully exploited, each device infected by the FreakOut malware can be used as a remote-controlled attack platform by the threat actors behind the attack, enabling them to target other vulnerable devices to expand their network of infected machines,” said researchers with Check Point Research in a Tuesday analysis.

Exploiting Critical Flaws

FreakOut first targets Linux devices with specific products that have not been patched against various flaws.

These include a critical remote command execution flaw (CVE-2020-28188) in TerraMaster TOS (TerraMaster Operating System), a popular data storage device vendor. Versions prior to 4.2.06 are affected, while a patch will become available in 4.2.07.

Also targeted is a critical deserialization glitch (CVE-2021-3007) in Zend Framework, a popular collection of library packages that’s used for building web applications. This flaw exists in versions higher than Zend Framework 3.0.0.

“The maintainer no longer supports the Zend framework, and the lamins-http vendor released a relevant patch for this vulnerability should use 2.14.x bugfix release (patch),” researchers said.

Finally attackers target a critical deserialization of untrusted data issue (CVE-2020-7961) in Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites. Affected are versions prior to 7.2.1 CE GA2; an update is available in Liferay Portal 7.2 CE GA2 (7.2.1) or later.

“Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities,” said researchers.

Attack Surface

Researchers said that after exploiting one of these critical flaws, attackers then upload an obfuscated Python script called, downloaded from the site https://gxbrowser[.]net.

“After the script is downloaded and given permissions (using the ‘chmod’ command), the attacker tries to run it using Python 2,” they said. “Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”

freakout malware

The top industries targeted by the Freakout malware. Credit: Check Point

This script has varying capabilities, including a port scanning feature, the ability to collect system fingerprints (such as device addresses and memory information), creating and sending packets and brute-force abilities using hard-coded credentials to infect other network devices.

According to a deep dive of the attackers’ main command and control (C2) server, an estimated 185 devices have been hacked thus far.

Researchers said that between Jan. 8 and Jan. 13 they observed 380 (blocked) attack attempts against customers. Most of these attempts were in North America and Western Europe, with the most targeted industries being finance, government and healthcare organizations.

To protect against FreakOut, researchers recommend Linux device users that utilize TerraMaster TOS, Zend Framework or Liferay Portal make sure they have deployed all patches.

“We strongly recommend users check and patch their servers and Linux devices in order to prevent the exploitation of such vulnerabilities by FreakOut,” they said.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.

Suggested articles