A fileless FritzFrog attacks Linux devices running SSH servers whose apparent goal is to mine cryptocurrency.
A fileless FritzFrog attacks Linux devices running SSH servers whose apparent goal is to mine cryptocurrency.
Cybersecurity firm Guardicore Labs discovered a newly discovered peer-to-peer (P2P) botnet.
Harper identified FritzFrog as part of ongoing Botnet Encyclopedia research, a free Security threat tracker.
"We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," states the company.
Targets of FritzFrog
According to Ophir Harpak, FritzFrog has attempted to brute-force millions of IP addresses belonging to government offices, educational institutions, finance, medical and various telecom players worldwide over the past eight months.
The attack has already managed to infiltrate over 500 servers in the U.S and Europe of universities and a railway company.
Features of FritzFrog
- It is fileless, as it assembles and executes payloads in memory.
- It is more aggressive in brute-force attempts, yet stays efficient by distributing targets evenly within the network.
- P2P protocol is proprietary and not based on any existing implementation.
- FritzFrog malware written in Golang and over 20 variants detected in the wild.
- To ensure connectivity nodes in FritzFrog botnet regularly ping each other.
- For secret key-exchange functionality, the malware uses Diffie-Hellman algorithm and AES for symmetric encryption.
How does FritzFrog work?
Once a victim is successfully breached, it starts running the UPX-packed malware, which immediately erases itself. The malware process runs under the names ifconfig and nginx, to minimize suspicion and sets up a start-up process to listen for commands sent across part 1234.
Guardicore Labs explains that,
- The malware at first initiates to connect to a target server over SSH ports 22 or 2222.
- Further, it adds the attacker’s public SSH keys to the authorised_keys file on this infected machine.
- As soon as it succeeds, FritzFrog launches a net at the client on port 1234 on the compromised server which further connects to the malware’s system server.
- From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware.
The P2P protocol used for communication by the botnet is "proprietary," notes Guardicore, and is "not based on any existing implementation," such as μTP.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?