A multi-platform Python-based virus targeting Windows and Linux devices has now been modified to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability.
The malware, known as FreakOut by CheckPoint researchers in January (also known as Necro and N3Cr0m0rPh), is an obscured Python script built with a polymorphic engine and a user-mode rootkit that conceals dangerous files placed on infected systems.
FreakOut spreads by taking advantage of a variety of OS and app flaws and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet that is under the control of its creators.
Infected systems can be backdoored, network traffic can be sniffed and exfiltrated, and XMRig miners can be used to mine Monero cryptocurrency thanks to the malware’s main feature.
Updated malware with fresh exploits
FreakOut’s developers have been hard at work enhancing the malware’s spreading capabilities since early May when the botnet’s activity abruptly spiked, Cisco Talos researchers said in a report released today.
“Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notable vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,” Cisco Talos security researcher Vanja Svajcer said.
FreakOut bots look for new systems to attack by generating network ranges at random or by responding to commands from their masters delivered via IRC via the command-and-control server.
The bot will attempt to log in using one of the built-in exploits or a hardcoded set of SSH credentials for each IP address in the scan list.
The most recent FreakOut versions include more than twice as many built-in exploits, whereas earlier versions could only exploit vulnerable versions of Liferay, Laravel, WebLogic, TerraMaster, and Zend Framework (Laminas Project) web apps.
Check out these related articles: PDPA Singapore Guidelines: 16 Key Concepts For Your Business
The following newly added malware variant exploits were discovered by Cisco Talos in May:
VestaCP — “v sftp license” in version 0.9.8 Script injection
‘cgi-bin/kerbynet’ in ZeroShell 3.9.0 Injection of remote root commands
‘output form’ in SCO OpenServer 5.0.7 Script injection
Genesis VULNERABILITY IN PLATINUM 4410 2.1 P4410-V2-1.28 FOR REMOTE COMMAND EXECUTION
Remote Command Execution vulnerability in OTRS 6.0.1
Remote Command Execution vulnerability in VMware vCenter
An Nrdh.php remote code execution attack for an unknown program
Python versions of the EternalBlue and EternalRomance attacks (CVE-2017-0144 and CVE-2017-0147, respectively)
Numerous VMware servers are vulnerable to assaults.
The vCenter plugin for vRealize Operations (vROps) contains the VMware vCenter vulnerability (CVE-2021-21972), which is particularly intriguing because it affects all default vCenter Server installations.
Outsourced Data Protection Officer – Appointing a Data Protection Officer is required. We assist our clients in promptly meeting their PDPA and data protection obligations.
Find vulnerabilities in your websites, mobile apps, or systems with vulnerability assessment penetration testing.
Utilize our industry-leading array of tools for analyzing blockchain security along with a hands-on examination by our seasoned smart contract auditors while performing a smart contract audit.