The threat actor behind the peer-to-peer (P2P) botnet known as FritzFrog has resurfaced with a new variant that leverages the Log4Shell vulnerability to propagate internally within compromised networks. FritzFrog was first discovered by Guardicore (now part of Akamai) in August 2020 and is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. This latest version represents a significant development as it uses Log4Shell as a secondary infection vector to specifically target internal hosts, rather than focusing solely on vulnerable public-facing assets. This means that even if internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation, facilitating the propagation of the malware.
Background of FritzFrog
Guardicore’s initial documentation sheds light on the operations of FritzFrog, highlighting its preference for targeting internet-facing servers with weak SSH credentials. The botnet is primarily designed to compromise these servers and gain unauthorized access, ultimately enabling the threat actor to execute malicious operations.
Log4Shell as a secondary infection vector
What makes this latest variant of FritzFrog unique is its utilization of the Log4Shell vulnerability as a secondary infection vector to specifically target internal hosts. The Log4Shell vulnerability, also known as CVE-2021-44228, affects the Apache Logging Services library and has been a major concern since its discovery. By exploiting this vulnerability, FritzFrog can target vulnerable internal systems that may have been overlooked or have yet to be patched.
Enhancements in SSH Brute-Force Component
The SSH brute-force component of FritzFrog has received significant enhancements with this new variant. It leverages a facelift to identify specific SSH targets by enumerating system logs on each victim. By analyzing system logs, FritzFrog gains insights into potential vulnerabilities and weak points in SSH protocols, allowing it to optimize its brute-forcing efforts and successfully compromise SSH credentials.
Utilizing CVE-2021-4034 for local privilege escalation
In addition to leveraging Log4Shell, the latest variant of FritzFrog exploits the PwnKit flaw, tracked as CVE-2021-4034, to achieve local privilege escalation. This flaw allows the malware to gain elevated privileges on compromised systems, enabling it to perform more advanced and malicious activities.
Tactics for remaining hidden and avoiding detection
FritzFrog employs various tactics to remain hidden and evade detection by security measures. One of its notable approaches involves avoiding dropping files to disk whenever possible. To accomplish this, FritzFrog utilizes the shared memory location “/dev/shm,” a technique also employed by other Linux-based malware such as BPFDoor and Commando Cat. Additionally, FritzFrog uses memfd_create to execute memory-resident payloads, further reducing its visibility and detection rates.
Infected Slurs Botnet Exploits DVR Device Flaws
The disclosure of the new FritzFrog variant coincides with Akamai’s revelation of the active exploitation by the InfectedSlurs botnet. InfectedSlurs is leveraging now-patched security flaws affecting multiple DVR device models from Hitron Systems. This botnet employs these vulnerabilities to launch distributed denial-of-service (DDoS) attacks, further underscoring the ongoing threats posed by botnets and vulnerable devices.
Impact and Victims of FritzFrog
FritzFrog has steadily expanded its reach over the years, claiming more than 1,500 victims to date. Initially focusing on internet-facing servers, the botnet has now diversified its target sectors to include healthcare, education, and government organizations. This broader scope amplifies the potential impact and underscores the urgent need for enhanced cybersecurity measures within these critical sectors.
The resurgence of the FritzFrog botnet with its new variant, exploiting the Log4Shell vulnerability, highlights the evolving nature of cyber threats and the constant need for vigilance in maintaining robust security measures. This latest development emphasizes the importance of promptly patching known vulnerabilities and implementing strong authentication protocols, such as secure SSH credentials. Proactive cybersecurity practices remain vital in safeguarding sensitive data, preventing unauthorized access, and mitigating the risks posed by sophisticated malware strains like FritzFrog. As the threat landscape continues to evolve, organizations must stay one step ahead by investing in advanced threat detection and mitigation technologies to protect their networks and resources from increasingly sophisticated cyber threats.