FreakOut (aka Necro, N3Cr0m0rPh) Python botnet has added a recently published PoC exploit for Visual Tools DVR to its arsenal.
Researchers at Juniper Threat Labs have analyzed a recent sample of malware and warn that Visual Tools DVR VX16 18.104.22.168.0 from visual-tools.com is in the spotlight with an expo for CVE-less flaw.
Breaking a DVR could allow hackers to spread sideways to an internal corporate network where the DVR is located. In addition, the device could be integrated into DDoS businesses.
The PoC (proof of concept) for the new exploit, which is an unapproved command injection, was released on July 6, 2021 and integrates with many other exploits, such as the following:
- CVE-2020-15568 - TerraMaster TOS before 4.1.29
- CVE-2021-2900 - Genexis PLATINUM 4410 2.1 P4410-V2-1.28
- CVE-2020-25494 - Xinuos (formerly SCO) OpenServer v5 and v6
- CVE-2020-28188 - TerraMaster TOS
- CVE-2019-12725 - Zeroshell 3.9.0
When FreakOut botnet's scans detect a vulnerable system, they will use exploit to gain access and install an XMRig Monero miner on the device.
Features that still appear in the latest versions of FreakOut malware include brute-force spreading and network sniffing, so depending on the hacker interest or the value of the compromised device, attacks could become more advanced hacks.
Another interesting aspect of botnet functionality is the domain generation algorithm (DGA) used for both commands and control as well as for download servers.
The malware appears to use a different medium in each campaign to create up to 253 unique random fake domains to be used in the functions. Their goal is to avoid domain flagging which reduces its effectiveness.
Some important differences compared to the FreakOut samples analyzed in the previous months are:
- The SMB scanner has been removed
- The script injection URL was changed from coded to DGA
- DDoS-supporting TOR Socks proxies have been replaced with new ones
- It is worth mentioning that FreakOut had two notable upgrades this year. One in January when it added targeting exploits to Linux in its arsenal and one in June when it was upgraded to target vulnerable VMWare servers.
*The DVR is a digital video recorder used in professional quality video surveillance equipment installations, supporting up to 16 cameras and live video transmission on two screens.
With information from bleepingcomputer.com