The unique, advanced worming P2P botnet drops backdoors and cryptominers, and is spreading globally. SSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike. According to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total.
FritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. Once the server is compromised, the malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines. It has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there’s no single point-of-failure and no command-and-control server (C2). Almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn’t use IRC like IRCflu; it operates in-memory unlike another cryptomining botnet, DDG; and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.
Once the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet. Instead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim’s machine. From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware. The malware also spawns multiple threads to perform various tasks simultaneously, assigning different tasks to different modules. Researchers suspect that the botnet aims to deploy cryptominers.