An advanced botnet campaign called FritzFrog has been discovered to infringe on SSH servers around the world, at least since January 2020.
Written in Golang, FritzFrog is a worm and botnet targeting government, education and finance.
The attack has already penetrated more than 500 servers in the US and Europe, universities and railway companies.
The advanced nature of FritzFrog lies in the proprietary and anonymous P2P application written from scratch.
No files, no servers but so efficient
The malware collects and executes the malicious payload on the memory, making it unstable.
In addition, the custom P2P application means that there is no Command & Control server (C&C) that sends instructions to FritzFrog.
Despite the aggressive brute-force tactics used by FritzFrog to break into SSH servers, it is strangely effective at targeting a network evenly.
Guardicore Labs has been monitoring FritzFrog for the past few months using the honeypot network.
"We started monitoring the activity of the campaign, which grew steadily and significantly over time. of time, totaling 13 attacks on the Guardicore Global Sensors Network (GGSN). "Since its first appearance, we have identified 20 different versions of the Fritzfrog binary," the company said in a recently published report authored by security researcher Ophir Harpaz.
In an effort to locate a central C&C design that powers the botnet, the company soon realized that there was no such thing.
To better understand FritzFrog and its capabilities, Guardicore Labs designed an interceptor written in Golang called frogger, which could participate in the malware key exchange process and receive and send commands.
"This program, which we called frogger, allowed us to explore its nature and scope. network. Using the frogger, we also managed to join network"Introducing" our nodes and participating in the current P2P traffic ", the report states.
Thus, Guardicore Labs concluded that the malware campaign had brute-forced access to millions of IP SSH addresses owned by institutions such as medical centers. banks, telecommunications companies, educational and governmental organizations.
When analyzed by Guardicore Labs researchers, the malware is unique given its distributed nature. While other botnets such as IRCflu have used IRC or DDG have worked using files, FritzFrog does not exhibit any of these behaviors.
The report acknowledges, however, that "it bears some resemblance - especially in terms of name and version numbers - to Rakos, a P2P botnet written in Golang and analyzed by ESET in 2016." Guardicore Labs has provided a simple one script which can be used to detect FritzFrog infections. Both the script and a list of FritzFrog IoCs have been published in GitHub.
"FritzFrog takes advantage of the fact that many network security solutions require traffic only through ports and protocol. To overcome this secrecy technique, process-based segmentation rules can easily prevent such threats", Concludes their report.