A new botnet has been discovered by researchers that has impacted at least 500 government and enterprise SSH servers over 2020.
FritzFrog, a peer-to-peer (P2P) botnet was detected by the cybersecurity firm Guardicore in January this year.
According to researcher Ophir Harpaz, the FritzFrog botnet has tried to brute-force SSH servers belonging to government, education, financial, medical and telecom players worldwide over the last eight months.
It was reported that the malware was discovered while Harpaz worked on the Botnet Encyclopedia, a free security threat tracker.
It is estimated that a minimum of 500 servers have been breached, including those connected to prominent US and European universities and also an unnamed railway company.
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or point-of-failure.
After brute-forcing an SSH server, the malware is deployed on infected systems which assembles and executes only in memory and is fileless. Each infected machine then becomes a bot capable of receiving and executing commands.
The FritzFrog malware is written in Golang and over 20 variants have been detected in the wild. Once executed, FritzFrog unpacks malware under the names ifconfig and nginx and sets up shop to listen for commands sent across port 1234.
But these commands can be found quickly and so attackers connect to the victim over SSH and run a netcat client instead.
The first command joins the victim machine to the existing database of network peers and slave nodes. Other commands which are AES encrypted, includes adding a public SSH-RSA key to the authorized_keys file to establish a backdoor, running shell commands to monitor a victim PC’s resources and CPU usage, and network monitoring.
The malware portion of FritzFrog is also able to propagate over the SSH protocol.
The main aim of FritzFrog is to mine for cryptocurrency. XMRig, a Monero miner, is deployed and connected to the public pool web.xmrpool.eu over port 5555.
If processes on the server are hogging CPU resources, the malware may kill them to give the miner as much power as possible.
FritzFrog also exchanges and share files by splitting content into binary data blobs, keeping them in memory, and storing this data with a map linking each blob’s hash value.
The P2P protocol used for communication by the botnet is “proprietary,” and is “not based on any existing implementation,” such as μTP.
Image Credits : Kaspersky