Vulnerable Video DVR Devices Now Targeted by the FreakOut Botnet
FreakOut Botnet Developers Have Added a PoC Exploit for Visual Tools DVR.
Last updated on October 13, 2021
FreakOut botnet (aka Necro, N3Cr0m0rPh) creators have updated the malware and added a PoC exploit for Visual Tools DVR, an electronic video recorder utilized in surveillance video systems, capable of supporting up to 16 cameras and transmitting live video to two monitors.
FreakOut malware is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems.
Juniper Threat Labs specialists examined the latest sample of the malware and warned that Visual Tools DVR VX16 188.8.131.52 from visual-tools.com is being exploited for a vulnerability that has no CVE number assigned.
According to them, successful exploitation will download the bot into the system and install an XMRig Monero miner. Besides this function, the botnet also supports:
The POC exploit code for this new vulnerability, which is an unauthenticated command injection, is publicly available since July 2021. Experts at Juniper Threat Labs see FreakOut botnet exploiting the vulnerabilities written below:
CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
CVE-2020-28188 – TerraMaster TOS <= 4.2.06
CVE-2019-12725 – Zeroshell 3.9.0
The botnet also uses Domain generation algorithms (DGA) for both its C2 infrastructure and download server. As explained by the researchers, it selects from a list of dynamic DNS services as its domain, e.g., ddns.net and prefixes that with 10-19 random characters. E.g., ‘3ood3dfcqchro.ddns.net’
The domains are pseudo-randomly generated using a hardcoded seed, 0xFAFFDED00001, and a counter is added until 0xFD (253 in decimal) before the counter is reset to 0. The seed controls the domain to be generated. In effect, it can generate up to 253 unique domains.
This seed is different from the previous campaigns. For instance, the sample used in the March attack used a different seed, 0x7774DEAD.
The specialists have noted a few changes on FreakOut botnet from the previous version. The first change is that the SMB scanner, which was observed in the May 2021 attack, has been removed. Second, the URL that it injects to script files on the compromised system was modified (previously, it used a hardcoded URL and now it uses the DGA for its URL).
The third is a change in the TOR Socks proxies. When the bot receives the “torflood” command, it uses a set of TOR proxies for its DDOS attacks.
In June, we were writing about a multi-platform Python-based malware that has been upgraded to worm its way into Internet-exposed VMware vCenter servers.
To be protected from botnets, make sure you have a proper patching solution in place as this malware is always looking for unpatched systems, and also keep an eye on your networks for faster detection of dubious activity.
With Heimdal™’s patch management software, you can achieve compliance, mitigate exploits, close vulnerabilities, deploy updates, and install software anywhere in the world, and according to any schedule. Our tool covers both Windows and 3rd party application management and comes with customizable set-and-forget settings for automatic deployment of software and updates.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.