FreakOut botnet (aka Necro, N3Cr0m0rPh) creators have updated the malware and added a PoC exploit for Visual Tools DVR, an electronic video recorder utilized in surveillance video systems, capable of supporting up to 16 cameras and transmitting live video to two monitors.
FreakOut malware is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems.
Juniper Threat Labs specialists examined the latest sample of the malware and warned that Visual Tools DVR VX16 220.127.116.11 from visual-tools.com is being exploited for a vulnerability that has no CVE number assigned.
According to them, successful exploitation will download the bot into the system and install an XMRig Monero miner. Besides this function, the botnet also supports:
Network Sniffer Spreading by exploits Gaining access via brute-force Using Domain Generation Algorithm Installing a Windows rootkit Receiving and executing bot commands Participating in DDoS attacks Infecting HTML, JS, PHP files Installing Monero Miner Crypto-mining campaigns
The POC exploit code for this new vulnerability, which is an unauthenticated command injection, is publicly available since July 2021. Experts at Juniper Threat Labs see FreakOut botnet exploiting the vulnerabilities written below: