Guardicore, an Israeli data center and cloud security provider, has discovered a unique, peer-to-peer (P2P) botnet that has breached secure shell servers (SSH) in the government, education and financial sectors since the beginning of 2020.
Part of what makes the malware--dubbed FritzFrog and written in the open source Go language--a one-off is that it is proprietary and written from scratch, it’s modular, multi-threaded and fileless and leaves no trail on infected machines, according to Guardicore, which has found 20 different versions of the malware executable.
To date, it has successfully infiltrated some 500 servers through brute force attacks and spread to “tens of millions” of IP addresses in government agencies, educational institutions, medical facilities, financial firms and telecoms, Ophir Harpaz, a Guardicore security researcher, said in a blog post.
FritzFrog Botnet: More Activity Details
So far, the FritzFrog botnet hasn’t been tied to a specific hacking group but it bears some “resemblance to a previously-seen P2P botnet named Rakos,” Harpaz said. “FritzFrog has a special combination of properties, which makes it unique in the threat landscape,” she said, referring to the worm as “new generation.” Here’s why:
- Fileless: FritzFrog operates with no working directory, and file transfers are done in-memory using blobs.
- Constantly updating: Databases of targets and breached machines are exchanged seamlessly.
- Aggressive: Brute-force is based on an extensive dictionary.
- Efficient: Targets are evenly distributed among nodes.
- Proprietary: The P2P protocol is completely proprietary, relying on no known P2P protocols.
Guardicore said it first noticed FritzFrog on January 9, when new attacks appeared executing malicious processes named ifconfig and nginx. The security specialist subsequently saw activity spike to some 13,000 attacks on its Global Sensors Network (GGSN). “What was intriguing about this campaign was that, at first sight, there was no apparent command and control server being connected to,” Harpaz wrote. “It was shortly after the beginning of the research when we understood no such CNC existed in the first place.”
FritzFrog Botnet: Attack Mitigation Strategies
Guardicore issued four key recommendations to impede FritzFrog attacks:
- Choose strong passwords and use public key authentication.
- Remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine.
- Consider changing routers’ and IoT devices’ SSH port or completely disabling SSH access to them if the service is not in use.
