A fresh look at the Fronton DDoS-focused botnet shows the criminal tool has more capabilities than previously believed.
The Fronton botnet 1st made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution explained it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.
Social Media Accounts
Now the cyber-security firm Nisos is reporting the Fronton malware goes beyond delivering DDoS attacks & can be used to create large numbers of social media accounts that can then be used to shape opinion via social media manipulation.
After further analysis of the documents related to Fronton, the Nisos researcher assert that DDoS “is only one of the many capabilities of the system… Nisos analysed the data & determined that Fronton is a system developed for co-ordinated inauthentic behaviour on a massive scale,” Nisos added.
Working of Fronton
Fronton, researchers say, doubles as a backend infrastructure for the social media disinformation. The malware uses an army of compromised IOT devices to conduct both DDoS attacks & disinformation campaigns.
“This system includes a web-based dashboard known as SANA that enables a user to formulate & deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport,” according to researchers.
Social Networks
SANA allows users to create fake social media accounts with generated email & phone numbers, these fake accounts are used to spread content across social networks, blogs and forums, researchers stated.
“SANA creates social media persona accounts, including provisioning of an email & phone number,” Nisos explained.
Additionally, researchers note that the platform allows users to control the number of likes, comments, & reactions. As well as provide the “facilities for creating these newsbreaks on a schedule or a reactive basis,” this will track the messages, trends, & their responses.
Response Patterns
A response model is specified to perform certain actions after the execution of the Newsbreak. The response model allows the group of bots to react to a piece of particular news in a certain fashion (positive, negative, or neutral), according to the report.
“The response model allows an operator to specify weekly frequency of likes, comments, & reposts. It also allows for the selection of comments from the dictionary lists in order to direct the response patterns of the virtual social group,” Nisos added in a report.
The operators can also specify a minimum frequency of actions & a minimum interval between actions. The researcher also found the platform has “a machine learning (ML) system involved that can be turned on or off based on behaviour observed on social media.”
Fake Bot
The researcher also added that Fronton operators have the capability to control the number of friends a fake bot should maintain, & integrate with a feature to store imagery for the bot.
The usage of the tool in real-world attacks is unclear, & as of April 2022, the web portal is active & moved to a different domain.
“As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc,” Nisos noted.
Nisos released a complete research report for further analysis.