FreakOut Reloaded with New Exploits to Target its Victims

What happened?

• The recent activity shows various changes to the bot, such as different C2 communications. It can now spread by exploiting more vulnerabilities and operating systems. In addition, it can target a victim by brute-forcing passwords over the SSH protocol.
• For every IP address in the scan list, the bot attempts to log in using a hardcoded list of SSH credentials or use one of the built-in exploits.
• The malware also uses new exploits and abuse vulnerabilities in SCO OpenServer, Vesta Control Panel, VMWare vSphere, and SMB-based exploits that were not found in the earlier iterations of the code.
• The bot further scans for new systems to target by randomly generating network ranges or on its operators' commands sent over IRC via the C2 server.

Newly added exploits 

• In addition, other newly added exploits are VestaCP, ZeroShell 3.9.0, SCO OpenServer 5.0.7, Genexis PLATINUM 4410 2.1 P4410-V2-1.28, OTRS 6.0.1, and the VMWare vCenter.
• Other exploits include the Nrdh[.]php remote code execution exploits for an unknown app and the Python versions of EternalRomance (CVE-2017-0147) and EternalBlue (CVE-2017-0144) exploits.

Conclusion