FritzFrog Botnet Exploits Log4Shell on Overlooked Internal Hosts

Everyone knows to patch vulnerabilities for Internet-facing assets, but what about internal ones? One botnet is counting on your complacency.

A new variant of an advanced botnet called FritzFrog has been spreading via Log4Shell.
Its been more than two years since the critical vulnerability in Log4j was
first unleashed
unto this earth, yet attackers are still
making good use of it
, as
many organizations remain unpatched
. Particularly, it seems, in deceptively secure areas of their networks.
Unlike most Log4Shell attacks, FritzFrog — a peer-to-peer, Golang-based botnet — doesnt target Internet-facing systems and services. Its trick, rather, is to search for and spread through the same vulnerability in internal network assets that organizations are less likely to have patched.
And Log4Shell is just one of FritzFrogs new tricks. It seems like, for the developers, this is an ongoing project — theyre adapting it over time, explains Ori David, security researcher at Akamai, author of a report published Feb. 1. So yeah, its a pretty sophisticated botnet.
Historically, FritzFrog likes to infect networks by brute-forcing Internet-facing servers with weak SSH passwords. The new variant builds on this tactic by reading several system logs on compromised hosts, with the aim of identifying more potentially weak targets to spread to in a network.
In addition to weak passwords, nowadays it is also scanning for Log4Shell openings.
It will compromise an asset in your environment by finding a weak SSH password, and then it will scan your entire internal network and find vulnerable apps that would not be exposed to normal Log4Shell attacks, David explains, referring to Web-based attacks.
As he wrote in his report, the strategy works so well since When the vulnerability was first discovered, Internet-facing applications were prioritized for patching because of their significant risk of compromise. Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of.
Improved network scanning and Log4Shell exploiting are just two of FritzFrogs latest upgrades.
To make privilege escalation a cinch, it is now exploiting
CVE-2021-4034
, the high CVSS 7.8 out of 10-rated memory corruption vulnerability in Polkit. Though two years have passed since its disclosure, this
trivial-to-exploit flaw
is likely widespread as Polkit is installed by default in most Linux distributions.
The FritzFrog developers have also given a good deal of thought to stealth. Besides its TOR support, and an antivirus module which kills unrelated malware in a system, the new variant makes use of two aspects of Linux: the
/dev/shm
shared memory folder, and the
memfd_create
function, which creates anonymous files stored in RAM. The goal with each is to reduce the risk of detection by avoiding touching the disk.
These tricks, among others, have contributed to the botnets 20,000-plus attacks against more than 1,500 victims since its first spotting in 2020.
But for widespread malware with such varied weapons at its disposal, David says, its kryptonite is terribly simple: FritzFrog propagates in two ways: weak SSH passwords, and Log4Shell. So the best ways to mitigate against it would be to have good passwords, and to patch your systems.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FritzFrog Botnet Exploits Log4Shell on Overlooked Internal Hosts