On Thursday, cybersecurity firm Nisos published new research revealing the inner workings of the unusual botnet.  Fronton first hit the headlines back in 2020 when ZDNet reported that a hacktivist group claimed to have broken into a contractor for the FSB, Russia’s intelligence service, and published technical documents appearing to show the construction of the IoT botnet on the intelligence service’s behalf. At the time, it was thought that the botnet was destined to perform distributed denial-of-service (DDoS) attacks on a vast scale. However, after analyzing further documents related to Fronton, Nisos believes that DDoS attacks are only one of many capabilities.  Instead, Nisos says Fronton is “a system developed for coordinated inauthentic behavior,” and the implementation of particular software, dubbed SANA, shows that the botnet’s true purpose could be for misinformation and the spread of propaganda rapidly and automatic fashion.  SANA consists of a web-based dashboard and a variety of functions, including:

Newsbreaks: tracks messages, trends, and their responses Groups: bot management Behavior Models: functions for creating bots able to impersonate human social media users  Response Models: how to react to messages & content including breaking news Dictionaries: stores phrases, words, quotes, and comments for use across social media, including positive, negative, and neutral reactions Albums: stores image sets for platform bot accounts.

SANA also permits users to create social media accounts with generated email and phone numbers and to spread content across social networks, blogs, forums, and more. In addition, users can set schedules for posts/reactions, and configuration includes how many likes, comments, and reactions a bot should create.  According to the researchers, Fronton operators can also specify how many ‘friends’ a fake bot account should maintain.  “The configurator also allows the operator to specify a minimum frequency of actions, and a minimum interval between actions,” the researchers say. “It also appears that there is a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.” As of April 2022, the web portal has moved to a different domain but is active.  Previous and related coverage

Researchers warn of APTs, data leaks as serious threats against UK financial sector Microsoft warns: This botnet has new tricks to target Linux and Windows systems Google: Here comes our ‘Open Source Maintenance Crew’

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0