FritzFrog Botnet Exploits Log4Shell on Overlooked Internal Hosts

Everyone knows to patch vulnerabilities for Internet-facing assets, but what about internal ones? One botnet is counting on your complacency.

3 Min Read
A green frog
Source: Picture Partners via Alamy Stock Photo

A new variant of an advanced botnet called "FritzFrog" has been spreading via Log4Shell.

It's been more than two years since the critical vulnerability in Log4j was first unleashed unto this earth, yet attackers are still making good use of it, as many organizations remain unpatched. Particularly, it seems, in deceptively secure areas of their networks.

Unlike most Log4Shell attacks, FritzFrog — a peer-to-peer, Golang-based botnet — doesn't target Internet-facing systems and services. Its trick, rather, is to search for and spread through the same vulnerability in internal network assets that organizations are less likely to have patched.

And Log4Shell is just one of FritzFrog's new tricks. "It seems like, for the developers, this is an ongoing project — they're adapting it over time," explains Ori David, security researcher at Akamai, author of a report published Feb. 1. "So yeah, it's a pretty sophisticated botnet."

How FritzFrog Spreads

Historically, FritzFrog likes to infect networks by brute-forcing Internet-facing servers with weak SSH passwords. The new variant builds on this tactic by reading several system logs on compromised hosts, with the aim of identifying more potentially weak targets to spread to in a network.

In addition to weak passwords, nowadays it is also scanning for Log4Shell openings.

"It will compromise an asset in your environment by finding a weak SSH password, and then it will scan your entire internal network and find vulnerable apps that would not be exposed to normal Log4Shell attacks," David explains, referring to Web-based attacks.

As he wrote in his report, the strategy works so well since "When the vulnerability was first discovered, Internet-facing applications were prioritized for patching because of their significant risk of compromise. Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of."

FritzFrog's Other New Tricks

Improved network scanning and Log4Shell exploiting are just two of FritzFrog's latest upgrades.

To make privilege escalation a cinch, it is now exploiting CVE-2021-4034, the "high" CVSS 7.8 out of 10-rated memory corruption vulnerability in Polkit. Though two years have passed since its disclosure, this trivial-to-exploit flaw is likely widespread as Polkit is installed by default in most Linux distributions.

The FritzFrog developers have also given a good deal of thought to stealth. Besides its TOR support, and an "antivirus" module which kills unrelated malware in a system, the new variant makes use of two aspects of Linux: the /dev/shm shared memory folder, and the memfd_create function, which creates anonymous files stored in RAM. The goal with each is to reduce the risk of detection by avoiding touching the disk.

These tricks, among others, have contributed to the botnet's 20,000-plus attacks against more than 1,500 victims since its first spotting in 2020.

But for widespread malware with such varied weapons at its disposal, David says, its kryptonite is terribly simple: "FritzFrog propagates in two ways: weak SSH passwords, and Log4Shell. So the best ways to mitigate against it would be to have good passwords, and to patch your systems."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights