A new botnet variant known as “FritzFrog” has been observed infiltrating systems through the Log4Shell vulnerability, marking a concerning development in the ongoing exploitation of this critical security flaw.
Despite the fact that more than two years have passed since the initial discovery of the Log4Shell vulnerability, cyber attackers are still leveraging it to their advantage. The persistence of this threat is compounded by the fact that many organizations have yet to apply patches to their systems, leaving their internal network assets vulnerable to exploitation.
One of the notable characteristics of the FritzFrog botnet is its use of a peer-to-peer, Golang-based infrastructure, which distinguishes it from typical Log4Shell attacks that target internet-facing systems and services. Instead, FritzFrog focuses on infiltrating internal network assets that organizations may have overlooked when applying patches for the Log4Shell vulnerability.
Security researcher Ori David, who authored a report on FritzFrog, notes that the botnet’s developers are continually adapting and refining their tactics, making it a particularly sophisticated and evolving threat.
FritzFrog spreads through a variety of methods, one of which involves brute-forcing weak SSH passwords on internet-facing servers. The malware then expands its reach by scanning system logs on compromised hosts to identify additional vulnerable targets within a network. In addition to exploiting weak passwords, the latest variant of FritzFrog is also scanning for Log4Shell vulnerabilities.
David emphasizes that FritzFrog’s strategy of targeting internal network assets takes advantage of the common tendency for organizations to prioritize patching internet-facing applications, leaving internal machines potentially exposed and unprotected.
In addition to enhancing its network scanning capabilities and Log4Shell exploitation, the latest iteration of FritzFrog is utilizing a memory corruption vulnerability in Polkit to facilitate privilege escalation. Additionally, the botnet now uses TOR support, an “antivirus” module that eliminates unrelated malware on infected systems, and employs Linux features such as the /dev/shm shared memory folder and the memfd_create function to minimize the risk of detection.
Despite FritzFrog’s multifaceted attack capabilities, David underscores the simplicity of preventive measures against this botnet. By emphasizing the importance of implementing strong passwords and promptly patching systems, he highlights the most effective strategies for mitigating the threat posed by FritzFrog.
Overall, the emergence of the FritzFrog botnet variant underscores the persistence and adaptability of cyber threats, demonstrating the ongoing need for organizations to remain vigilant in applying security patches and implementing strong password policies to protect against evolving malware attacks.