A fresh look at the Fronton DDoS-focused botnet reveals the criminal tool has more capabilities than previously known.
The Fronton botnet first made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution said it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.
Now the cybersecurity firm Nisos is reporting the Fronton malware goes beyond delivering DDoS attacks and can be used to create massive numbers of social media accounts that can then be used to shape opinion via social media manipulation.
After further analysis of the documents related to Fronton, the Nisos researcher assert that DDoS “is only one of the many capabilities of the system… Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale,” Nisos added.
Working of Fronton
Fronton, researchers say, doubles as a backend infrastructure for the social media disinformation. The malware uses an army of compromised IOT devices to carry out both DDoS attacks and disinformation campaigns.
“This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport,” according to researchers.
SANA allows users to create fake social media accounts with generated email and phone numbers, these fake accounts are used to spread content across social networks, blogs and forums, researchers said.
“SANA creates social media persona accounts, including provisioning of an email and phone number,” Nisos explained.
Additionally, researchers note that the platform allows users to control the number of likes, comments, and reactions. As well as provide the “facilities for creating these newsbreaks on a schedule or a reactive basis”, this will track the messages, trends, and their responses.
A response model is specified to perform certain actions after the execution of the Newsbreak. The response model allows the group of bots to react to a piece of particular news in a certain fashion (positive, negative, or neutral), according to the report.
“The response model allows an operator to specify weekly frequency of likes, comments, and reposts. It also allows for the selection of comments from the dictionary lists in order to direct the response patterns of the virtual social group,” Nisos added in a report.
The operators can also specify a minimum frequency of actions and a minimum interval between actions. The researcher also found the platform has “a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.”
The researcher added that Fronton operators have the capability to control the number of friends a fake bot should maintain, and integrate with a feature to store imagery for the bot.
The usage of the tool in real-world attacks is not clear, and as of April 2022, the web portal is active and moved to a different domain.
“As of April 2022, 0day technologies has changed its domain from 0day[.]ru to 0day[.]llc,” Nisos noted.
Nisos released a complete research report for further analysis.