FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

“The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible,” web infrastructure and security company Akamai said in a report shared with The Hacker News.

FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It’s known to be active since January 2020.

It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts.

What’s novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically single out internal hosts rather than targeting vulnerable publicly-accessible assets.

“When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise,” security researcher Ori David said.

“Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of.”

This means that even if the internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.

The SSH brute-force component of FritzFrog has also received a facelift of its own to identify specific SSH targets by enumerating several system logs on each of its victims.

Another notable change in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.

“FritzFrog continues to employ tactics to remain hidden and avoid detection,” David said. “In particular, it takes special care to avoid dropping files to disk when possible.”

This is accomplished by means of the shared memory location /dev/shm, which has also been put to use by other Linux-based malware such as BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.

The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.