500 government and business SSH servers have been targeted by the newly-discovered FritzFrog P2P botnet from the beginning of 2020.
The cybersecurity firm Guardicore has recently published a research report on a new peer-to-peer (P2P) botnet, named FritzFrog, that has been observed since January this year by the company’s sensors.
FritzFrog has tried to brute-force SSH servers on government, financial, medical, education and telecom organizations from round the globe over the last eight months, according to researchers from the cybersecurity company. The malware was found during a work on the free security threat tracker Botnet Encyclopedia.
According to the report, at least 500 servers, including those linked to major U.S. and European universities and unnamed rail operators, have been hacked.
As per the information that has been revealed, FritzFrog is a decentralized botnet which uses P2P protocols for distributing control over all its nodes, preventing a single controller or a failure point.
As soon as an SSH server is brute-forced, a fileless malware gets deployed on the infected systems and starts operating only in memory. This is presumably made to prevent detection, and to leave no evidence of its presence on the system. Researchers from Guardicore reveal that, according to them, every infected computer then becomes a bot able to receive and execute commands.
Once executed, FritzFrog deploys malicious files named “ifconfig” and “nginx” and sets up shop in order to listen for commands sent across port 1234. These commands, however, are typically easy to locate, thus, the attackers usually sign in via SSH to the victim’s machine and then run a netcat client. The malware related to FritzFrog has been detected in the wild in more than 20 variants and is written in Golang.
The first command connects the infected machine to the current network of peers and slave node servers. The other commands, all encrypted with AES, add a public SSH-RSA key to the “authorized_keys” file to set up a backdoor, run shell commands to control the resources and the usage of the CPUs of the compromised computer and monitor the network.
The main objective of FritzFrog is cryptocurrency mining. A Monero minder named XMRig, is inserted in the infected system and connected to the web.xmrpool.eu public pool via port 5555 soon after the computer gets compromised. When other processes start using CPU resources on the system, the malware disables them to give the miner the full power.
FritzFrog can also share and transfer information by splitting files into binary blocks of data and storing these blocks in memory along with a map that links each block to its value.
Researchers reveal that the P2P protocol used by the botnet for communication is “proprietary” and not based on any current program. This gives them the reason to believe that the malicious actors behind FritzFrog are highly skilled malware developers.