Recent investigations reveal an escalating malware campaign targeting network-attached storage (NAS) devices operating on Linux systems. The attacks exploit widely reported vulnerabilities, co-opting these devices into an Internet Relay Chat (IRC) botnet for the purposes of launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The malware variant involved is termed “FreakOut,” which has been linked to critical flaws in the Laminas Project (formerly Zend Framework) and Liferay Portal, as well as an unpatched vulnerability in TerraMaster.
As outlined in new analyses by Check Point Research, the exploitation of these vulnerabilities—specifically CVE-2020-28188, CVE-2021-3007, and CVE-2020-7961—enables malicious actors to inject and execute harmful commands on the infected servers. The research has positioned this malware as the work of a long-time cybercriminal known by aliases such as Fl0urite and Freak, who has been active since at least 2015.
The attackers’ objective is notably strategic; they aim to deploy a Python script dubbed “out.py,” which runs on Python 2—a version that reached its end-of-life status last year. This reliance suggests that the attackers expect many victim devices still to utilize this outdated version. The malware is downloaded from a specific site (hxxp://gxbrowser[.]net) and is reported to contain obfuscated code, which changes with each download, complicating detection efforts.
Within days of the initial attacks, F5 Labs issued warnings regarding a series of compromises targeting TerraMaster (CVE-2020-28188) and Liferay CMS (CVE-2020-7961), informing businesses that threats such as the N3Cr0m0rPh IRC bot and Monero miner were underway. The IRC botnet is characterized by multiple infected machines that can be controlled through IRC channels, thereby executing varied malicious commands.
In the case of FreakOut, compromised devices are designed to communicate with a hardcoded command-and-control (C2) server. This allows the malware to issue command messages for execution. The malware’s capabilities go beyond simple command execution; it encompasses port scanning, information gathering, network sniffing, and DDoS amplification. Furthermore, affected hosts may be used for crypto-mining activities or to propagate lateral attacks across networks, disguising themselves as legitimate company operations.
The speed of infections is alarming, with hundreds of devices already compromised soon after the campaign’s launch. Cybersecurity experts cautioned that the FreakOut campaign could escalate in scale and complexity. In response to these developments, TerraMaster is anticipated to release a patch in version 4.2.07. For immediate mitigation, users are advised to upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later, as well as laminas-http 2.14.2.
As this situation elucidates, the attackers behind this campaign exhibit a high degree of expertise in cybercrime. During a press interview, Adi Ikan, head of network cybersecurity research at Check Point, underscored the ongoing nature of this threat targeting specific Linux users. The relevance of addressing recently disclosed vulnerabilities cannot be overstated, as it highlights the imperative to maintain vigilant cybersecurity practices and timely updates.
Given the sophistication and speed with which this attack campaign is unfolding, business owners must remain proactive in their cybersecurity measures to protect against potential intrusions that leverage identified vulnerabilities.
