Feb 02 2024

FritzFrog Botnet Attacking Linux Servers To Steal SSH Credentials

Category: Botnet,Cyber Attackdisc7 @ 9:38 am

The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.

A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network. 

Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet. 

“Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,” Akamai shared with Cyber Security News.

The Exploitation Chain

The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed “Frog4Shell”. 

A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.

Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.

According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatched—a situation that FritzFrog takes advantage of.

FritzFrog scanning the local network to identify targets
FritzFrog scanning the local network to identify targets

“This means that even if the “high-profile” internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” researchers said.

FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.

Log4Shell exploitation flow
Log4Shell exploitation flow

Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.

FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.

The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.

“Since it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,” researchers said.


  • The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
  • For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:

a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)

b. Listening port 1234

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Dec 23 2022

KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

Category: Botnet,DDoSDISC @ 10:33 am

KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

Researchers from Akamai have continued to study the cryptomining botnet KmsdBot and have looked at its attack flow. It is believed that KmsdBot is a distributed denial of service (DDoS) for hire due to the wide range of companies and regions that were attacked.

“We have continued to analyze and play around with KmsdBot, including modifying the binary and pointing it at our own command and control (C2), which led to us watching the threat actor crash the botnet”, Akamai researchers

Among the major targets were luxury brands and security companies, as well as the game modifications Grand Theft Auto V and Red Dead Redemption 2 and FiveM and RedM.

Asia, North America, and Europe represent the majority of the victims, according to observed IPs and domains.

Launch DDoS Attacks

While analyzing the attack traffic, the first noteworthy attack is referred to as “bigdata” and makes 1 Mb POST requests to the designated port. The payload looks to be garbage even though the Content-Type header says it is URL-encoded.

Researchers say this attack attempts to increase the amount of bandwidth needed to process each request by sending a lot of data in the body of each request. Hence, this is one of the most often used functionalities for this botnet and is a fairly basic feature that almost all DDoS campaigns use.

Also, the TCP protocol’s three-way handshake can be abused by the attacker by utilizing an SYN flood to create half-open connections on several ports. 

This makes it difficult for the target server to handle the volume of traffic and makes it much more difficult for it to discriminate between malicious and legitimate connection requests.

Instead of concentrating on the overall effect of the size of the single packet, there were also some standard HTTP(s) POST and traffic instructions that blend in with standard traffic by closely resembling a normal packet in both size and format.

Here the basic goal of HTTP-based attacks is to send out a lot of packets, which makes it difficult to identify them from legitimate traffic and block them while defending against an attack.

 “After observing this traffic for some time, we can see that after hitting a certain specified packet size, it will start back at a smaller size and grow again, repeating this process over and over”, explains researchers.

Targets Gaming, Luxury Brands, and Even Security Companies

The platforms FiveM and RedM, which are used to host modified “Grand Theft Auto V” and “Red Dead Redemption 2” servers, let server owners make new rules and add new elements to the server that wasn’t in the standalone game.

“A large concentration of targets was located in Asia, North America, and Europe based on the observed IPs and domains”, Akamai

KmsdBot, was intriguing for a few notable reasons: It was written in Go, it had cryptomining functionality, and it had seemingly erratic targets.

Akamai researchers noticed that KmsdBot follows some of the general tendencies, especially in terms of the language used. Malicious code is rapidly being created in a variety of languages, including Go and even compiled Python.

KmsdBot DDoS Botnet

Infosec books | InfoSec tools | InfoSec services

Tags: KmsdBot Botnet

Apr 26 2021

Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet

Category: BotnetDISC @ 1:52 pm

European law enforcement has conducted an operation aimed at performing a mass-sanitization of computers infected with the infamous Emotet Windows malware.

European law enforcement agencies automatically wiped the infamous Emotet malware from infected systems across the world as part of a mass sanitization operation.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure.

The authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically on April 25, 2021 as confirmed by researchers at Malwarebytes.

Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet

Tags: Emotet

Mar 02 2021

Proliferation of sneakerbots across industries

Category: BotnetDISC @ 11:36 pm

A sneakerbot by any other name

What we are observing now is the increasing proliferation of sneakerbots across all industries. As it currently stands, more than 30% of all internet traffic is generated by unwanted bots, a number which will exceed 50% within the next few years. The rapid digital transformation brought about over the past several years has acted as a catalyst for this substantial growth in synthetic traffic.

Whether they are large, organized groups or DIYers, bot operators leverage automation because it’s cheap, easy to use, generates large amounts of profit, and makes success at scale viable.

Here are some recent examples of sneakerbots being used in different industries:

Proliferation of sneakerbots across industries

Tags: sneakerbots

Feb 26 2021

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack

In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.

The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.

According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.

Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.

“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Tags: CodeQL, Solorigate compromise

Feb 19 2021

Windows and Linux servers targeted by new WatchDog botnet for almost two years

Category: Botnet,Linux Security,Windows SecurityDISC @ 4:09 pm

Due to the recent rise in cryptocurrency trading prices, most online systems these days are often under the assault of crypto-mining botnets seeking to gain a foothold on unsecured systems and make a profit for their criminal overlords.

The latest of these threats is a botnet named WatchDog. Discovered by Unit 42, a threat intelligence division at Palo Alto Networks, this crypto-mining botnet has been active since January 2019.

Written in the Go programming language, researchers say they’ve seen WatchDog infect both Windows and Linux systems.

The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:

Windows and Linux servers targeted by new WatchDog botnet for almost two years

Feb 01 2021

Emotet takedown – Europol attacks “world’s most dangerous malware”

Category: Botnet,MalwareDISC @ 11:39 pm

Jan 28 2021

Police Have Disrupted the Emotet Botnet

Category: BotnetDISC @ 12:54 pm

Jan 27 2021

Law enforcement announced global action against NetWalker Ransomware

Category: Botnet,Information Security,RansomwareDISC @ 5:43 pm

A joint operation of U.S. and EU law enforcement authorities allowed the seizure of the leak sites used by NetWalker ransomware operators.

Law enforcement authorities in the U.S. and Europe have seized the dark web sites used by NetWalker ransomware operators. The authorities also charged a Canadian national involved in the NetWalker ransomware operations.

“The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ.

“NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.”

The group has been active since 2019, the NetWalker ransomware has been offered with the Ransomware-as-a-Service (RaaS) model.

The list of victims of the group is long, it includes Pakistan’s largest private power company K-ElectricArgentina’s official immigration agency, Dirección Nacional de Migraciones, and the University of California San Francisco (UCSF), the latter paid a $1.14 million ransom to recover its files.

Jan 27 2021

Europol-led op knocks 700 servers offline

Category: BotnetDISC @ 10:54 am

Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.

“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.

Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.

“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”

Source: Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

Jan 19 2021

FreakOut botnet target 3 recent flaws to compromise Linux devices

Category: BotnetDISC @ 10:26 am

The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.

The attacks observed by Check Point aimed at devices that run one of the following products:

  • TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
  • Zend Framework –  a collection of packages used in building web application and services using PHP, with more than 570 million installations
  • Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites

Once infected a device, it will be later used as an attacking platform.

Oct 26 2020

Botnet Infects Hundreds of Thousands of Websites

Category: BotnetDISC @ 9:02 pm

KashmirBlack has been targeting popular content management systems, such as WordPress, Joomla, and Drupal, and using Dropbox and GitHub for communication to hide its presence.

The botnet, dubbed KashmirBlack, uses a modular infrastructure that includes features such as load balancing communications with command-and-control servers and storing files on cloud storage services, such as Dropbox and GitHub, to speed access to any new code updates for the systems infected with the software. The KashmirBlack botnet mainly infects popular CMS platforms, exploiting dozens of known vulnerabilities on targeted servers and performing millions of attacks per day on average, according to a pair of reports published by Imperva researchers today.

Source: Botnet Infects Hundreds of Thousands of Websites

CyberHub Podcast – Practitioner Brief 10-26-20 Emotet upgrades, Kashmirblack & ransomware surge

Oct 12 2020

Microsoft and others orchestrate takedown of TrickBot botnet

Category: BotnetDISC @ 9:41 pm

FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, Symantec, and the Microsoft Defender team participated in the takedown.

Source: Microsoft and others orchestrate takedown of TrickBot botnet | ZDNet

Microsoft takes action against Trickbot ransomware attacks

Tags: botnet, TrickBot

Mar 01 2019

What is a botnet? And why they aren’t going away anytime soon

Category: BotnetDISC @ 11:23 am

A botnet is a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.

Source: What is a botnet? And why they aren’t going away anytime soon

Enter your email address:

Delivered by FeedBurner