FreakOut, the multi-platform Python-based malware that targets Windows and Linux devices, has been updated. The malware is now upgraded to worm its way into publicly exposed unpatched VMware vCenter servers. It is now exploiting an RCE vulnerability that exists in vCenter servers.
According to a Cisco Talos report, FreakOut's developers are improving the malware's spreading capabilities. Moreover, since May, the botnet's activity has suddenly increased.
The recent activity shows various changes to the bot, such as different C2 communications. It can now spread by exploiting more vulnerabilities and operating systems. In addition, it can target a victim by brute-forcing passwords over the SSH protocol.
For every IP address in the scan list, the bot attempts to log in using a hardcoded list of SSH credentials or use one of the built-in exploits.
The malware also uses new exploits and abuse vulnerabilities in SCO OpenServer, Vesta Control Panel, VMWare vSphere, and SMB-based exploits that were not found in the earlier iterations of the code.
The bot further scans for new systems to target by randomly generating network ranges or on its operators' commands sent over IRC via the C2 server.
Newly added exploits
The bot has been updated to exploit a vulnerability (CVE-2021-21972) that exists in VMware vCenter present in the vCenter plugin for vRealize Operations (vROps) that impacts thousands of VMware servers.
Other exploits include the Nrdh[.]php remote code execution exploits for an unknown app and the Python versions of EternalRomance (CVE-2017-0147) and EternalBlue (CVE-2017-0144) exploits.
FreakOut developers have been very active for the past few months. Efforts on updating the malware with newer tricks to penetrate more networks and adding newer exploits increase its chances of infecting and spreading further. Experts recommend frequently upgrading defense mechanisms and having a robust patch management system to protect from such threats.