Friday, January 15, 17:01
Home security FritzFrog malware: Attacks Linux servers via SSH

FritzFrog malware: Attacks Linux servers via SSH

An advanced botnet campaign called FritzFrog has been discovered to infringe on SSH servers around the world, at least since January 2020.

Written in Golang, FritzFrog is a worm and botnet targeting government, education and finance.

FritzFrog malware

The attack has already penetrated more than 500 servers in the US and Europe, universities and railway companies.

The advanced nature of FritzFrog lies in the proprietary and anonymous P2P application written from scratch.

No files, no servers but so efficient

The malware collects and executes the malicious payload on the memory, making it unstable.

In addition, the custom P2P application means that there is no Command & Control server (C&C) that sends instructions to FritzFrog.

Despite the aggressive brute-force tactics used by FritzFrog to break into SSH servers, it is strangely effective at targeting a network evenly.

Guardicore Labs has been monitoring FritzFrog for the past few months using the honeypot network.

"We started monitoring the activity of the campaign, which grew steadily and significantly over time. of time, totaling 13 attacks on the Guardicore Global Sensors Network (GGSN). "Since its first appearance, we have identified 20 different versions of the Fritzfrog binary," the company said in a recently published report authored by security researcher Ophir Harpaz.

In an effort to locate a central C&C design that powers the botnet, the company soon realized that there was no such thing.

To better understand FritzFrog and its capabilities, Guardicore Labs designed an interceptor written in Golang called frogger, which could participate in the malware key exchange process and receive and send commands.

"This program, which we called frogger, allowed us to explore its nature and scope. network. Using the frogger, we also managed to join network"Introducing" our nodes and participating in the current P2P traffic ", the report states.

Thus, Guardicore Labs concluded that the malware campaign had brute-forced access to millions of IP SSH addresses owned by institutions such as medical centers. banks, telecommunications companies, educational and governmental organizations.

When analyzed by Guardicore Labs researchers, the malware is unique given its distributed nature. While other botnets such as IRCflu have used IRC or DDG have worked using files, FritzFrog does not exhibit any of these behaviors.

The report acknowledges, however, that "it bears some resemblance - especially in terms of name and version numbers - to Rakos, a P2P botnet written in Golang and analyzed by ESET in 2016." Guardicore Labs has provided a simple one script which can be used to detect FritzFrog infections. Both the script and a list of FritzFrog IoCs have been published in GitHub.

"FritzFrog takes advantage of the fact that many network security solutions require traffic only through ports and protocol. To overcome this secrecy technique, process-based segmentation rules can easily prevent such threats", Concludes their report.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...