A P2P botnet newly-discovered by researchers has struck at least 500 government and enterprise SSH servers over 2020.
On Wednesday, cybersecurity firm Guardicore published research into FritzFrog, a peer-to-peer (P2P) botnet that has been detected by the company's sensors since January this year.
According to researcher Ophir Harpaz, FritzFrog has attempted to brute-force SSH servers belonging to government, education, financial, medical, and telecom players worldwide over the last eight months.
The malware was discovered while Harpaz worked on the Botnet Encyclopedia, a free security threat tracker, as reported by sister site TechRepublic.
A minimum of 500 servers have been breached, including those connected to prominent US and European universities, as well as an unnamed railway company.
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or point-of-failure.
After brute-forcing an SSH server, the malware deployed on infected systems is fileless and both assembles and executes only in memory -- likely in an effort to avoid detection and leave little trace of its presence. According to the team, each infected machine then becomes a bot capable of receiving and executing commands.
The FritzFrog malware is written in Golang and over 20 variants have been detected in the wild. Once executed, FritzFrog unpacks malware under the names ifconfig and nginx and sets up shop to listen for commands sent across port 1234.
However, these commands are usually easy to spot, and so attackers connect to the victim over SSH and run a netcat client instead.
The first command joins the victim machine to the existing database of network peers and slave nodes. Other commands, all of which are AES encrypted, includes adding a public SSH-RSA key to the authorized_keys file to establish a backdoor, running shell commands to monitor a victim PC's resources and CPU usage, and network monitoring.
The malware portion of FritzFrog is also able to propagate over the SSH protocol.
FritzFrog's primary goal is to mine for cryptocurrency. XMRig, a Monero miner, is deployed and connected to the public pool web.xmrpool.eu over port 5555.
If processes on the server are hogging CPU resources, the malware may kill them to give the miner as much power as possible.
FritzFrog will also exchange and share files by splitting content into binary data blobs, keeping them in memory, and storing this data with a map linking each blob's hash value.
The P2P protocol used for communication by the botnet is "proprietary," Guardicore notes, and is "not based on any existing implementation," such as μTP.
This may suggest that "the attackers are highly professional software developers," the team says. While there are no concrete clues for attribution, some similarities have been found between FritzFrog and Rakos, a botnet discovered in 2016.
Previous and related coverage
- Prometei botnet exploits Windows SMB to mine for cryptocurrency
- Dark_nexus botnet outstrips other malware with new, potent features
- This botnet has surged back into action spreading a new ransomware campaign via phishing emails
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0