A Python-based malware has been spotted targeting Windows and Linux devices making its way into unpatched VMware vCenter servers and other products.
Cisco Talos security researchers say they saw a spike in activity of the FreakOut botnet, and it has been upgraded with new exploits, which are designed to improve its spread capabilities.
FreakOut (aka Necro and N3Cr0m0rPh) is a Python script that can evade detection using a polymorphic engine and a user-mode rootkit. It allows remote attackers to modify system settings and hide malicious files.
FreakOut exploits a wide variety of OS and apps vulnerabilities and adds infected devices to an IRC botnet managed by the attackers.
The malware’s main function is to launch distributed denial of service attacks (DDOS), plant backdoors, and XMRig miners to mine for Monero cryptocurrency. It can also be used to monitor network traffic and extract cryptocurrency miners.
The bot was first discovered earlier this year and has since undergone various changes. Some of these include the ability to spread various exploits.
“Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,” Cisco Talos security researcher Vanja Svajcer said.
FreakOut bots are capable of detecting new systems by randomly generating network ranges for them or by command. The bot will try to use built-in exploits to compromise the server or try to log in using a list of SSH credentials.
The latest FreakOut versions are more than twice as likely to compromise servers, researchers said.
Researchers warn that the VMware vCenter vulnerability in the vCenter plugin for vRealize Operations (CVE-2021-21972) is a critical issue that can affect all default installations of the vCenter Server.
“Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems,” Svajcer added.