The notorious peer-to-peer (P2P) botnet known as FritzFrog has resurfaced with a new variant exploiting the critically recognized Log4Shell vulnerability. This sophisticated malware aims to propagate internally within networks that have already suffered compromises.
According to a report by Akamai, a prominent web infrastructure and security company, the exploitation mechanism relies on brute force tactics that target a wide range of vulnerable Java applications. This represents a significant shift in modus operandi for FritzFrog, which initially gained attention for targeting weak SSH credentials on internet-facing servers.
First identified by Guardicore in August 2020, FritzFrog is a Golang-based malware that has actively targeted various sectors, including healthcare, education, and government. The botnet is believed to have impacted over 1,500 entities since its emergence, showcasing its evolving capabilities over time. The latest variant notably utilizes the Log4Shell vulnerability as an infection vector aimed at penetrating internal networks, a strategy Akamai has termed Frog4Shell.
“When the Log4Shell vulnerability was initially uncovered, the focus was primarily on protecting external applications due to their potential exposure. Internal systems, perceived as less vulnerable, often remained unpatched,” noted security researcher Ori David. This scenario creates an opening for FritzFrog to exploit these overlooked systems, even if external applications have undergone necessary security updates.
The latest iteration of FritzFrog also enhances its SSH brute-force functionality by targeting specific SSH endpoints, utilizing various system logs from compromised devices to identify vulnerable targets. Additionally, it leverages the PwnKit flaw tracked as CVE-2021-4034 to elevate privileges locally, further solidifying its foothold within infected networks.
The malware’s design incorporates techniques designed to evade detection, particularly by avoiding the writing of files to disk whenever feasible. Instead, it maneuvers through the memory location /dev/shm, a methodology also employed by various other Linux-based malware strains. This stealthy approach allows FritzFrog to execute tasks that may otherwise alert system defenders.
The emergence of FritzFrog’s advanced tactics underscores the evolving nature of cyber threats. As organizations reinforce their defenses against external attacks, the risk remains that internal vulnerabilities could be exploited through overlooked routes—thereby compromising entire networks. Understanding these threats is vital for business leaders aiming to bolster their cybersecurity posture.
This disclosure aligns with Akamai’s broader findings on ongoing exploitations by malware like InfectedSlurs, which has been identified as actively targeting vulnerabilities in multiple DVR devices from Hitron Systems. As cybersecurity incidents continue to proliferate, businesses must remain vigilant and informed about vulnerabilities that could pose significant risks.
