A new peer-to-peer (P2P) botnet was found targeting SSH servers located in IoT devices and routers that allow connections from remote devices. The botnet, known as FritzFrog, propagates like a computer worm by means of brute-forcing credentials.
Guardicore Labs security researchers analyzed the botnet and determined that it has successfully breached over 500 servers, and the number is still growing fast. FritzFrog is multi-threaded, modular, and fileless leaving no clue on its infected devices. FritzFrog sets up and deploys malicious payloads fully in the memory, so infections are difficult to identify.
Whenever a computer is attacked, a backdoor in the form of an SSH public key is produced. This key gives attackers continual device access. More payloads may then be downloaded, for example, a cryptocurrency miner. As soon as a device is compromised, the self-replicating activity begins to deploy the malware all through the host server. The device is put in the P2P network, could acquire and implement commands coming from the P2P network, and is employed to pass on the malware to other SSH servers. Since January 2020, the botnet has been working to target government, education, healthcare, and the finance industries.
Compared with other variants of a botnet, FritzFrog has more resiliency, because the command of the botnet is decentralized amid various nodes, thus there’s no one command and control (C2) server, that means no one point of failure as well. As per Guardicore Labs, FritzFrog used the Golang language, and the P2P protocol was totally exclusive, with practically everything about the botnet unique and not shared with any other P2P botnet.
To evaluate how FritzFrog worked as well as study its functionalities, Guardicore Labs’ researchers created an interceptor written in Golang which permitted them to take part in the malware’s key-swapping process and get and transmit commands. The program named frogger helped them to study the nature and extent of the network. Frogger allowed them to be a part of the network by ‘injecting’ their own nodes and contributing to the P2P traffic. Through frogger, the researchers confirmed that FritzFrog already had brute-forced millions of SSH IP addresses at banks, medical centers, educational organizations, government agencies, and telecom firms.
The malware communicates through port 1234, though not directly. Traffic at port 1234 is simple to recognize, therefore the malware utilizes a netcat utility program that is commonly employed to keep track of network traffic. A command that is transmitted via SSH is going to be utilized as netcat’s input, therefore sent to the malware. FritzFrog likewise communicates through an encrypted channel and could carry out more than 30 commands that include making a backdoor, linking to other corrupted nodes and servers in the FritzFrog network, and checking resources like CPU use.
Though the botnet is presently being utilized for planting cryptocurrency mining malware (XMRig) on products to mine Monero, the botnet can simply be repurposed to deliver other types of malware and can be utilized for many other purposes. Security researcher Ophir Harpaz at Guardicore Labs doesn’t think cryptocurrency mining is the major goal of the botnet, because of the amount of code specific to mining Monero. Harpaz is convinced the main goal is to access the organizations’ networks and sell access to the breached servers or use for other profitable attacks.
It is uncertain who made the botnet or where it came from. It has propagated worldwide, however, the geographic origin of the first attacks is unknown. FritzFrog likewise undergoes active development, as researchers identify over 20 FritzFrog binary versions.
The botnet depends on network protection solutions that impose traffic only through port and protocol, therefore process-based segmentation guidelines are needed. Networks with weak passwords are more prone to brute force attacks, thus it is essential to use strong passwords and to utilize public key authentication. The botnet locates IoT devices and routers that have exposed SSH keys, and so companies can secure themselves by altering their SSH port or deactivating access to SSH whenever not using the service. The researchers additionally suggest that it’s important to take FritzFrog’s public key from the file of authorized_keys to keep the attackers from accessing the device.
Guardicore Labs has released a script on GitHub which could be activated to determine FritzFrog infections, together with known IoCs.