'FritzFrog' P2P Botnet Targets SSH ServersResearchers: Botnet Is Mining for Monero Cryptocurrency
A recently discovered peer-to-peer botnet dubbed "FritzFrog" has breached about 500 SSH servers, infecting universities in the U.S. and Europe and a railway company in an effort to plant cryptomining malware, Guardicore Labs reports.
See Also: Top 50 Security Threats
The botnet has also attempted to infect banks, medical centers, governmental offices, educational institutions and telecom companies, the researchers say.
Fitzfrog, which is written in the GoLang programming language, uses the secure and encrypted P2P communication protocol to distribute malware and take control of device nodes, according to the report. This makes the botnet difficult to detect and enables it to propagate across multiple infected SSH servers.
The Guardicore Labs researchers believe that FritzFrog was written from scratch by sophisticated developers. While the botnet is now mining for monero cryptocurrency, its operators eventually could use the malware for other purposes, they note.
"The monero cryptominer does not seem to be the main goal of the FritzFrog operators. Even by simply looking at the amount of code dedicated to the different malware modules, we can confidently say that the attackers are much more interested in obtaining access to breached servers," Ophir Harpaz, security researcher at Guardicore Labs, tells Information Security Media Group. "This access can be worth much more than spreading a cryptominer."
While cryptomining is the botnet's main function, Harpaz says it's not clear how much monero FritzFrog has mined. The botnet continues to grow and is attempting to infect more servers.
Brute-Force Methods Used
To gain a foothold within an SSH server, FritzFrog uses brute-force methods to guess the right combination of credentials and passwords, according to the report.
"Once inside the machine, the malware 'injects' an SSH key, which is used as a backdoor, allowing the attackers to access the victim even if the password is changed," Harpaz says.
Once that initial attack has started, FritzFrog uses the P2P protocol to start the self-replicating process, which includes deploying and executing malware throughout the host server, according to the report.
"From this moment on, the new victim becomes part of the P2P network; it gets a share of the targets to crack, therefore contributing its CPU power to propagate to new SSH servers," Harpaz says. "In addition, it immediately becomes capable of receiving and executing commands from other peers in the network."
The report notes that the malware associated with the FritzFrog botnet is fileless and executes in memory, making it more difficult to detect. Once established in a device, the botnet sends signals to a command-and-control server and listens for new commands specifically on port 1234.
Because communication over port 1234 is easy to spot, however, the botnet is designed to also send messages through SSH by using a netcat utility program, which is typically used to monitor network traffic, according to the report. Any data sent back to the operators is encrypted.
The botnet malware can execute 30 separate commands, including creating a backdoor and connecting with other infected nodes and servers in the FritzFrog network. It can also monitor resources, such as CPU use, within an infected server, according to the report.
Once established, FritzFrog will then plant XMRig - malware that acts as a miner for monero virtual currency - which has become popular with other cryptomining botnets (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign).
The Gaurdicore Labs researchers were not able to identify the operators behind the FritzFrog botnet or where they are located. The creators might have connections to another botnet called Rakos, but this has not been confirmed, according to the report.
"Guardicore Labs has seen attacks originate in China, the U.S., South Korea, France, the U.K., and many other countries around the world," Harpaz says. "However, this indicates that FritzFrog has succeeded in replicating itself worldwide and says very little about the geographic origin of the initial attacks or the operators. While examining the malware file, we also found racist terminology that is largely used in the U.K. This is not a strong indicator of the attacker's origin, but it stood out."