Several Java applications have been targeted by a new variant of the FritzFrog botnet, which has gained the ability to exploit the Log4Shell vulnerability, as part of the Frog4Shell attack campaign, reports The Record, a news site by cybersecurity firm Recorded Future.
While FritzFrog initially leveraged brute-force attacks to facilitate server compromise and cryptominer distribution, the malware has been updated to read numerous system files on compromised hosts for expanded attacks, according to an Akamai report, which noted that more than 1,500 organizations have been impacted by over 20,000 intrusions with the botnet malware. Operators of FritzFrog have also enhanced the malware with additional tools for bypassing cybersecurity defenses and novel privilege escalation features.
"We believe that this trend will continue in upcoming FritzFrog versions, and it's likely only a matter of time before additional exploits are added to the malware," said researchers.
Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.