FreakOut Malware Worms Its Way Into Vulnerable VMware Services

A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. BleepingComputer reports: The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency.

As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

No

[raymorris]

> Didn't AV vendors figure out polymorphic viruses/worms to the point where you might as well not even bother like 30 years ago?

No, quite the contrary. The research labs are still scratching their heads trying to come up with *theories* about how it could even be *possible*. Even assuming you get to redesign the target OS from the ground up, it's still a bit of a head scratcher.

On the other hand, there are some telltale signs that an executable might be trying to hide *something*. When a program is hidin

"Internet-exposed VMware vCenter servers"...

[Anonymous Coward]

If you have this you deserve to be hacked...

Re:

[bookwormT3]

gotta manage SCADA & critical infrastructure systems somehow, right? You know, gasoline pipelines, major power plants, that sort of thing.

Re:

[bloodhawk]

There has been a twat on slashdot lately that defends this sort of incompetence, he seems to think walking down a dark alley bent over with your pants down still makes you just a victim and you shouldn't be held partly accountable when it results in you being raped by the bad guy. I can only imagine he is responsible for letting one of these attacks in through his incompetence.

Re:

[eneville]

Maybe, but you don't deserve the research agency leaving a Basic auth header in the screen captures.

IRC botnet, really?!

[Gravis Zero]

Come on, criminals, It's 2021! Centralized command and control systems are so horribly dated. *sigh* This only reinforces my belief that groups like this employ the lowest tier of programmer. Take some pride in your work and build malware that real programmers don't laugh at.

Re:

[tlhIngan]

Come on, criminals, It's 2021! Centralized command and control systems are so horribly dated. *sigh* This only reinforces my belief that groups like this employ the lowest tier of programmer. Take some pride in your work and build malware that real programmers don't laugh at.

Except the places likely to use this may block most ports. You can only rely on 80 and 443 being open, any other port generally is restricted by IP.

Scanning

[Bert64]

FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

And this is why you should migrate to IPv6 ASAP. While it's not a good idea generally to put something exposed to the internet, at least if you do it using IPv6 it has a much lower chance of being found as it's totally impractical to scan entire IPv6 ranges.
With IPv4 as soon as an exploit is available, an attacker can scan the entire public address space in a matter of minutes and exploit every exposed system.

Some systems do actually need to be exposed to the internet, for instance vpn servers, and many vulnerabilities have been found in vpn implementations. If the vpn server sits on an ipv6 address known only to legitimate employees, you have a lot more breathing room to patch the server before anyone malicious is going to find it.

Re:

[tlhIngan]

And this is why you should migrate to IPv6 ASAP. While it's not a good idea generally to put something exposed to the internet, at least if you do it using IPv6 it has a much lower chance of being found as it's totally impractical to scan entire IPv6 ranges.
With IPv4 as soon as an exploit is available, an attacker can scan the entire public address space in a matter of minutes and exploit every exposed system.

Some systems do actually need to be exposed to the internet, for instance vpn servers, and many vul

Re:

[Bert64]

Sounds like you need to adapt to IPv6. For one thing, ARP no longer exists and has been replaced with NDP.

Second is that ARP scanning works by sending probes to every possible address, so NDP scanning in the same way won't work for IPv6 because there are too many possible addresses.

You can consult the NDP table on the local host, but it will only contain devices it has actually communicated with recently. There could be many other devices it doesn't need to communicate with. For instance on a typical office

Lazy Vendors

[Canberra1]

Although the bot was originally discovered earlier this year. I presume someone is running KALI Linux pentests (or better) against their prime software moneymakers weekly, and closing any holes including new cves. These script kiddies are making monkeys of lazy vendors who don't care about their clients. While the clients - muddle on, high on brainfog and a Facebook hangover. Just one day, maybe remote 2 factor will be improved by setting time windows on logins, such as minutes divided by 3, after an unsuc

How does brute-forcing ssh work?

[Progman3K]

I thought unsuccessful login attempts over ssh resulted in an exponential back-off period between each attempt, so brute-forcing it would take literal years

Re:

[eneville]

Depends how many source IP addresses you have to play with and how many targets you have.