Juniper Threat Labs analysts have noticed that an update to the Python botnet FreakOut (also known as Necro and N3Cr0m0rPh) has added a recently published PoC exploit for Visual Tools DVR to the malware arsenal. The vulnerable devices are digital video recording (DVR) devices used in professional video surveillance and supporting up to 16 cameras and live video transmission to two monitors.
After examining a fresh sample of FreakOut, the experts warned that Visual Tools DVR VX16 18.104.22.168 from visual-tools.com is being attacked using a fresh vulnerability that does not yet have a CVE identifier.
Hacking such devices, in theory, allows attackers to penetrate the company’s internal network, and the devices themselves can be used as part of a DDoS botnet. However, in this particular case, FreakOut operators are more interested in the abuse of compromised hardware resources to mine Monero cryptocurrency.
The PoC exploit, which is a command injection without authentication, was published in July 2021, and is now used along with many other exploits, including:
- CVE-2020-15568: TerraMaster TOS below version 4.1.29;
- CVE-2021-2900: Genexis PLATINUM 4410 2.1 P4410-V2-1.28;
- CVE-2020-25494: Xinuos (formerly SCO) OpenServer v5 and v6;
- CVE-2020-28188: TerraMaster TOS;
- CVE-2019-12725: Zeroshell 3.9.0.
The expert report states that another interesting aspect of the botnet’s operation is the use of DGA, which is used for both C&C servers and download servers. It looks like the malware uses a different seed for each campaign and has already created about 253 unique pseudo-random domains that will be used in operations.
It is also noted that in fresh samples of FreakOut, other important changes were found, for example:
- removed the SMB scanner from the malware code;
- Script injection URL changed from hardcoded to DGA;
- TOR Socks proxies with DDoS support have been replaced with new ones.
Catch up on more stories here
Follow us on Facebook here