Windows and Linux Devices Are Now Being Targeted by A Multi-Platform Python-Based Malware That Has Been Upgraded to Worm Its Way into Internet-Exposed VMware vCenter Servers.
Last updated on June 7, 2021
Dubbed FreakOut, Necro, or N3Cr0m0rPh, the malware is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems.
CheckPoint researchers, who discovered FreakOut in January, noted that the malware spreads itself by exploiting a wide range of OS. The goal behind the attacks was to create an IRC botnet, which can later be used for several purposes, such as DDoS attacks or crypto-mining.
Image Source: CheckPoint
As detailed in a report published by Cisco Talos, FreakOut’s developers have been improving the malware’s spreading capabilities since early May, when the botnet’s activity has suddenly increased.
Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code.
According to the researchers, FreakOut bots are now scanning for new systems to target by randomly generating network ranges or on its masters’ commands sent over IRC via the command-and-control server.
“For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials”, writes BleepingComputer.
php remote code execution exploit for an unknown app.
VMware flaws have also been exploited in the past in ransomware attacks targeting enterprise networks. FreakOut operators have also been seen deploying a custom ransomware strain, which means that they are constantly testing new malicious payloads.
Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.
Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.