The threat actor behind a peer-to-peer (P2P) botnet known as Fritz Rana is back with a new variant that exploits the Log4Shell vulnerability to propagate internally within an already compromised network.
“The vulnerability is exploited with a brute force that attempts to target as many vulnerable Java applications as possible,” web infrastructure and security company Akamai said in a report shared with The Hacker News.
FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is Golang-based malware that primarily targets Internet-facing servers with weak SSH credentials. It is known to have been active since January 2020.
It has since evolved to target healthcare, education, and government sectors, as well as improving its capabilities to deploy cryptocurrency miners on infected hosts.
New in the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically target internal hosts rather than targeting publicly accessible vulnerable resources.
“When the vulnerability was first discovered, Internet-connected applications were prioritized for patching due to their significant risk of compromise,” said security researcher Ori David.
“In contrast, internal machines, which were less likely to be exploited, were often neglected and remained unpatched, a circumstance that FritzFrog takes advantage of.”
This means that even if Internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to malware exploitation and propagation.
FritzFrog’s brute-force SSH component also received a makeover to identify specific SSH targets by enumerating different system logs on each of its victims.
Another notable change in the malware is the use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.
“FritzFrog continues to employ tactics to stay hidden and avoid detection,” David said. “In particular, special care is taken to avoid dropping files to disk whenever possible.”
This is achieved via the /dev/shm shared memory location, which has also been used by other Linux-based malware such as BPDFoor and Commando Cat, and memfd_create to execute memory-resident payloads.
The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (CVE-2024-22768 to CVE-2024-22772 and CVE-2024-23842) that impact several models of Hitron DVR devices Systems for launching distributed Denial of Service (DDoS) attacks.