The Evolution of FritzFrog: A Persistent Threat Exploiting Log4Shell

In the constantly changing realm of cybersecurity risks, the FritzFrog botnet stands out as a formidable and adept opponent. Recent developments reveal a new variant of FritzFrog leveraging the Log4Shell vulnerability, marking a concerning shift in its tactics. This article explores the evolution of FritzFrog, its advanced techniques, and the imminent threats it poses to organizations worldwide.

The Log4Shell Connection

More than two years after the Log4j vulnerability surfaced, FritzFrog has found a way to capitalize on lingering weaknesses in organizational networks. Unlike typical Log4Shell attacks, this peer-to-peer, Golang-based botnet strategically avoids Internet-facing systems. Instead, it exploits internal network assets, preying on organizations that have overlooked patching these areas. This shift in focus has allowed FritzFrog to persistently infiltrate networks, with its developers continuously adapting the botnet over time.

FritzFrog’s Modus Operandi

Historically known for brute-forcing Internet-facing servers with weak SSH passwords, the new variant of FritzFrog has elevated its game. In addition to exploiting Log4Shell, it scans compromised hosts for system logs, identifying potential targets within internal networks. This approach capitalizes on the fact that internal machines, often deemed less vulnerable, are frequently neglected and remain unpatched. FritzFrog’s success lies in its ability to compromise assets by finding weak SSH passwords and exploiting Log4Shell vulnerabilities within internal networks.

New Tools in FritzFrog’s Arsenal

In its latest form, the botnet has incorporated various upgrades, including the exploitation of CVE-2021-4034, a memory corruption vulnerability in Polkit. This flaw, although disclosed two years ago, remains prevalent, given that Polkit is installed by default in most Linux distributions. Additionally, FritzFrog employs stealth measures, utilizing TOR for communication, an “antivirus” module to eliminate other type of malwares. It also leverages Linux features like the /dev/shm shared memory folder and the memfd_create function to operate from RAM, avoid touching the disk to achieve fileless execution.

Frog4Shell Emerges

The evolution of FritzFrog extends to a campaign now known as “Frog4Shell.” This campaign targets vulnerable Java applications, expanding its reach and impact. The botnet’s ability to read numerous system files on compromised hosts has facilitated more than 20,000 attacks against over 1,500 victims since its first appearance in 2020.

Mitigating the Threat

Despite FritzFrog’s varied weapons and advanced techniques, mitigating the threat is surprisingly straightforward. The botnet propagates primarily through weak SSH passwords and Log4Shell exploits. Therefore, organizations can bolster their defenses by implementing strong passwords and ensuring prompt system patching. As FritzFrog continues to evolve, the cybersecurity community must remain vigilant, anticipating further exploits and refining defense strategies to counter this ongoing menace.

If you have any questions or require assistance, we are actively seeking strategic partnerships and would welcome the opportunity to collaborate. Don’t hesitate to contact us!



Stay in the loop! Sign up for our newsletter today for getting regular updates.