Late last month, Juniper Threat Labs researchers noted new activity by the Python botnet FreakOut, also known as Necro and N3Cr0m0rPh, which targeted Visual Tools DVRs used in professional video surveillance systems.
He actively uses several services, including the exploit for Visual Tools DVR VX16 220.127.116.11. After passing through the vulnerability, the botnet is loaded into the system to deploy the Monero miner.
FreakOut was created to carry out DDoS attacks and secret cryptocurrency mining. The botnet was first discovered in 2020 and its functionality has expanded significantly since then.
According to Juniper experts, the FreakOut bot supports many features, including:
- Traffic analyzer (network sniffer).
- Distribution using exploits.
- Propagation using brute force attacks.
- Using the Domain Generation Algorithm (DGA).
- Installing a Windows rootkit.
- Receiving and executing bot commands.
- Participation in DDoS attacks.
- Infection of HTML, JS, PHP files.
- Installing Monero Miner.
In the latest versions of the botnet, the SMB scanner has disappeared, and the static address of the control server has been changed to a dynamic one. Unlike previous versions of the FreakOut bot, the latter is capable of launching DDoS attacks using TOR SOCKS proxies.
In addition to Visual Tools DVR, the FreakOut botnet can attack various devices using exploits for vulnerabilities such as CVE-2020-15568 (in TerraMasterTOS up to version 4.1.29), CVE-2021-2900 (affects GenexisPlatinum 4410 2.1 P4410-V2-1.28), CVE-2020-25494 (affects XinuosOpenserverv5 andv6), CVE-2020-28188 (in TerraMasterTOS up to version 4.2.06), and CVE-2019-12725 (found in Zeroshell 3.9.0).
“Digital video recorders are a pretty interesting target for IoT botnet creators, – Mikhail Zaitsev, an information security expert at SEQ, told cnews.ru. – They are well suited for criminal mining of cryptocurrencies and for launching DDoS attacks, since they often use a high-bandwidth communication channel. And, like many other IoT devices, DVRs often experience security and firmware issues, so some pretty old exploits work with them. This is observed in this case. “
If you notice an error, select it with the mouse and press CTRL + ENTER.