A new, sophisticated, and stealthy peer-to-peer (P2P) botnet named FritzFrog has been discovered which is being used to target SSH servers. The botnet was identified and analyzed by security researchers at Guardicore Labs who report that the botnet has been active since at least January 2020 and has been used in targeted attacks on government offices, medical centers, banks, telecoms companies, and education institutions, and finance companies. Several well-known universities in the United States and Europe have been attacked, along with a railway company.
P2P botnets are not new, but most of FritzFrog is. The Guardicore researchers say the botnet uses a proprietary protocol, and appears to have been written from scratch in Golang. The botnet differs from other P2P botnets as infection are entirely fileless, with the binary operating in the memory. While the botnet is unique, the researchers did identify a slight similarity to the Rakos P2P botnet, discovered in 2016.
Persistent access to infected devices is achieved by inserting a backdoor in the form of an SSH public key which is added to the authorized_keys file. All infected devices are in constant communication with each other and communications are encrypted. There is an even distribution of targets across nodes, with no duplication of targets by different nodes. The database of targets runs in the memory of the many different nodes of the botnet and multiple threads are used to allow various tasks to be performed simultaneously.
“Nodes in the FritzFrog network keep in close contact with each other. They constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network,” explained the researchers.
FritzFrog can spread to other devices in a worm-like fashion, using brute force tactics to guess credentials and passwords, using an extensive dictionary. Once a target is infected, the malware runs under the names ifconfig and nginx and then immediately erases itself. Connection is made to the P2P network to ensure that the victim machine is synched with the database of network peers and targets. The malware listens on port 1234 and supports more than 30 different commands. Since detection is possible over port 1234, FritzFrog uses a netcat client for receiving commands as input.
The malware monitors system state, including CPU usage and available RAM, and that information is shared with other nodes. FritzFrog can download a variety of payloads but is currently being used to load the XMRig Monero miner, which connects over port 5555.
While the botnet is being used to deploy a cryptocurrency miner, the researchers do not believe this is the primary purpose of the botnet, instead they think the main goal is achieving persistent access to networks, which is of much greater value than any cryptocurrency that can be mined.
“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats. Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer,” conclude the researchers. They also stress that it is critical to remove the botnet’s key from the authorized_keys file to prevent further access.