Monday, October 26, 08:56
Home security FritzFrog malware: Attacks Linux servers via SSH

FritzFrog malware: Attacks Linux servers via SSH

An advanced botnet campaign called FritzFrog has been discovered to infringe on SSH servers around the world, at least since January 2020.

Written in Golang, FritzFrog is a worm and botnet targeting government, education and finance.

FritzFrog malware

The attack has already penetrated more than 500 servers in the US and Europe, universities and railway companies.

The advanced nature of FritzFrog lies in the proprietary and anonymous P2P application written from scratch.

No files, no servers but so efficient

The malware collects and executes the malicious payload on the memory, making it unstable.

In addition, the custom P2P application means that there is no Command & Control server (C&C) that sends instructions to FritzFrog.

Despite the aggressive brute-force tactics used by FritzFrog to break into SSH servers, it is strangely effective at targeting a network evenly.

Guardicore Labs has been monitoring FritzFrog for the past few months using the honeypot network.

"We started monitoring the activity of the campaign, which grew steadily and significantly over time. of time, totaling 13 attacks on the Guardicore Global Sensors Network (GGSN). "Since its first appearance, we have identified 20 different versions of the Fritzfrog binary," the company said in a recently published report authored by security researcher Ophir Harpaz.

In an effort to locate a central C&C design that powers the botnet, the company soon realized that there was no such thing.

To better understand FritzFrog and its capabilities, Guardicore Labs designed an interceptor written in Golang called frogger, which could participate in the malware key exchange process and receive and send commands.

"This program, which we called frogger, allowed us to explore its nature and scope. network. Using the frogger, we also managed to join network"Introducing" our nodes and participating in the current P2P traffic ", the report states.

Thus, Guardicore Labs concluded that the malware campaign had brute-forced access to millions of IP SSH addresses owned by institutions such as medical centers. banks, telecommunications companies, educational and governmental organizations.

When analyzed by Guardicore Labs researchers, the malware is unique given its distributed nature. While other botnets such as IRCflu have used IRC or DDG have worked using files, FritzFrog does not exhibit any of these behaviors.

The report acknowledges, however, that "it bears some resemblance - especially in terms of name and version numbers - to Rakos, a P2P botnet written in Golang and analyzed by ESET in 2016." Guardicore Labs has provided a simple one script which can be used to detect FritzFrog infections. Both the script and a list of FritzFrog IoCs have been published in GitHub.

"FritzFrog takes advantage of the fact that many network security solutions require traffic only through ports and protocol. To overcome this secrecy technique, process-based segmentation rules can easily prevent such threats", Concludes their report.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


How to take a screenshot on Android TV

You may not know it, but Android TV can take screenshots like a phone or tablet. Unfortunately, it is not so ...

How can you change your Twitter username?

The username on Twitter allows you to express your beliefs and personality, while also serving as a digital address that allows ...

Technology will lead millions to unemployment (will new jobs be created?)

A new report by the World Economic Forum (WEF) showed that 85 million jobs could be lost in the next five years, ...

MineCraft: all players must have a Microsoft account to play

The manufacturer of the popular video game MineCraft, Mojang, announced through a post that from the beginning of next year, all ...

How to export your data from Google Fit

Google Fit has a range of health data that you record / collect for months or even years using your phone, ...

How can you see all your Instagram stories on a map?

Since your Instagram stories disappear after 24 hours, it can be difficult to locate previous clips. But now, the ...

How do you automatically delete your Google Account?

In case you have a Google account, but for some reason you want to delete it because you no longer want to use it, ...

How to uninstall the October 2020 version of Windows 10?

If you have a problem with the new version of Microsoft for Windows 10 (Windows 10's October 2020 ...

How to use Portrait Light on a Pixel phone

Lighting is undoubtedly the most important component for taking a good photo. If you have a Pixel phone, you can fix ...

DFAT: We apologize for the inconvenience to Australians

The contact details of at least 15 Australian citizens were included in the "Cc" field of an email. The Australian Minister of Foreign Affairs and Trade (DFAT), Marise ...