The FritzFrog botnet has been found to have new potential for expansion as a recently analyzed variant of the bot has been observed exploiting the Log4Shell (CVE-2021-44228) and PwnKit (CVE-2021-4034) vulnerabilities for lateral movement and privilege escalation.
Initially identified in August 2020, the FritzFrog botnet is a peer-to-peer botnet powered by malware written in Golang. It targets SSH servers by brute-forcing login credentials and has successfully compromised thousands of servers globally. The botnet’s primary objective is to use the compromised servers for covert cryptocurrency mining.
One of the new and improved capabilities of the botnet is its ability to constantly update itself with enhanced features. The latest versions of the malware attempt to target all hosts in the internal network, either via SSH brute-forcing or by exploiting the Log4Shell vulnerability. Moreover, the botnet also aims to exploit the PwnKit vulnerability in the PolKit Linux component to gain root privileges and execute its binary.
The creators of FritzFrog are making use of the fact that many organizations have patched Log4Shell on internet-facing applications but have neglected to do the same on internal assets. Additionally, since PolKit comes pre-installed by default on most Linux distributions, many unpatched devices remain vulnerable to the botnet.
Moreover, FritzFrog has been designed to evade detection by ensuring that it does not drop files on the disk whenever possible, adding to its stealth capabilities.
In response to the growing threat posed by the FritzFrog botnet, researchers have provided an enterprise detection script that defenders can use to check their SSH servers for indicators of a FritzFrog infection. Additionally, administrators are advised to secure SSH access to their servers by using long and unique passwords and enabling multi-factor authentication. Network segmentation has also been recommended as a defense mechanism to prevent FritzFrog and other malware from having the capability for lateral movement.
The evolving nature of the FritzFrog botnet highlights the significance of timely patching and securing of software components and network assets. As the botnet continues to exploit known vulnerabilities, organizations need to be proactive in implementing defensive measures to prevent their systems from being compromised by this sophisticated threat.