FritzFrog is a new sophisticated botnet that has been actively targeting SSH servers worldwide since January 2020.
The bot is written in Golang and implements wormable capabilities, experts reported attacks against entities in government, education, and finance sectors.
The FritzFrog is a modular, multi-threaded, and file-less botnet that outstands for the use of a proprietary and fileless P2P implementation that has been written from scratch.
According to the Guardicore Labs researchers, the malware already infected over 500 servers in the U.S. and Europe belonging to universities and a railway company.
“FritzFrog is a highly sophisticated peer-to-peer (P2P) botnet that has been actively breaching SSH servers worldwide. With its decentralized infrastructure, it distributes control among all its nodes. In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date.” reads the report published by Guardicore Lab.
“FritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers.”
The botnet’s P2P communication is encrypted using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange.
The bot is able to establish a backdoor on the infected systems in order to achieve continued access.
FritzFrog shares some similarities with Rakos Golang-based Linux bot that was observed targeting systems via brute force attempts at SSH logins.
One of the most interesting features of FritzFrog is that it is completely fileless, this means that it assembles and executes payloads directly into the memory of the infected system.
“To share and exchange files between nodes, Fritzfrog uses a stealthy, fileless approach. Files are split into blobs – bulks of binary data – which are kept in memory. The malware keeps track of the available blobs by storing them in a map together with each blob’s hash value.” continues the report.
“When a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats. Then, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs – it assembles the file using a special module named Assemble and runs it.”
Experts pointed out that the botnet is more aggressive in its brute-force attempts.
Once the botnet has identified a new potential target, the malicious code attempts to gain access with brute-force attacks and then to infect the accessed machine with malicious payloads.
To remain under the radar, the malware process runs under the names ifconfig and nginx, then it listens on port 1234 waiting for commands.
The commands themselves are transmitted to the malware through a series of hoops designed to avoid detection.
To evade detection, instead of sending commands directly over port 1234, the commands are sent to the victim with a specific procedure. The attacker first connects to the victim over SSH and runs a netcat client on the victim’s machine, which in turn connects to the malware’s server. Then ant command sent over SSH will be used as netcat’s input and redirected to the malware.
The malware runs a separate process, named “libexec,” that allows operators to mine Monero coins and established a backdoor access by adding a public key to the SSH’s “authorized_keys.”
According to the experts, the botnet has been active since January 9, it has reached a cumulative of 13,000 attacks that employed 20 different versions of the malware binary.
FritzFrog has been found to brute-force millions of IP addresses belonging to governmental organizations, medical centers, banks, and telecom companies.
Guardicore Labs researchers developed and released a detection script that could be used to determine if a server has been infected by FritzFrog.
(SecurityAffairs – hacking, FritzFrog)