Thursday, February 22, 2024

FritzFrog Botnet Attacking Linux Servers to Steal SSH Credentials

The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.

A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network. 

Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet. 

“Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” Akamai shared with Cyber Security News.

The Exploitation Chain

The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed “Frog4Shell”. 

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.

Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.

According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.

FritzFrog scanning the local network to identify targets
FritzFrog scanning the local network to identify targets

“This means that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” researchers said.

FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.

Log4Shell exploitation flow
Log4Shell exploitation flow

Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.

FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.

The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.

“Since it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,” researchers said.


  • The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
  • For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:

a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)

b. Listening port 1234


Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles