Shulou(Shulou.com)05/31 Report--

This article shows you how to conduct FreakOut botnet analysis, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Recently, Check Point researchers have discovered a series of attacks related to the FreakOut botnet, mainly aimed at unfixed vulnerabilities in applications running on Linux systems.

The botnet first appeared in November 2020, and some of the attacks used the latest vulnerabilities to inject into operating system commands. The main target of the attack is to invade the system to create an IRC botnet, and then use the botnet for other malicious activities, such as DDOS attacks and cryptocurrency mining.

FreakOut infection chain

Figure FreakOut attack flow graph

The attack exploits three newly discovered vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961. Attackers can take advantage of these vulnerabilities to upload and execute python scripts on the compromised server.

CVE-2020-28188

The flaw lies in the lack of input validation of the "event" parameter in the "makecvs" PHP page (/ include/makecvs.php). An unauthorized remote attacker can exploit this vulnerability to inject operating system commands and gain control of the server.

Figure attack that exploits CVE-2020-28188 vulnerability

CVE-2021-3007

The vulnerability is caused by insecure object deserialization. In Zend Framework 3.0.0 and later, attackers abused the characteristics of Zend3 to load classes from objects to upload and execute malicious code on the server. The code can be uploaded using the "callback" parameter and malicious code can be inserted.

Figure takes advantage of CVE-2021-3007 attacks

CVE-2020-7961

This vulnerability is Liferay Portal's Java deserialization vulnerability. An attacker can use this vulnerability to provide a malicious object that can be deserialized for remote code execution.

Figure takes advantage of CVE-2020-7961 attacks

Vulnerability impact

The vulnerability affects the following products:

TerraMaster operating system: the operating system used to manage TerraMaster NAS devices

Zend framework: web applications and service packs built using PHP, installed more than 570 million times

Liferay Portal: free and open source enterprise gateway, is a web application platform written in Java, which can provide some features for website and gateway development.

Botnet function

The FreakOut botnet has a modular structure and uses specific functions for each supported function. Botnet features include:

Port scanning tool

Collect system fingerprints, including device address, memory information, system TerraMaster operating system version, etc.

Create and send packets:

ARP poisoning of man-in-the-middle attack

Supports UDP and TCP packets, as well as application layer protocols such as HTTP, DNS, SSDP, SNMP, etc.

Brute force cracking, using hard-coded credentials

Handle run time error exception package

Sniffing the network: performing ARP poisoning functions

Use functions to propagate to other devices

Add yourself to the rc.local configuration to get residency

Launch DDOS and flooding attacks

Open the reverse shell of the client

By name or id kill process.

The above content is how to conduct FreakOut botnet analysis. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.