Recently, a cybersecurity researchers discovered FritzFrog P2P botnet that breached at several enterprise and government servers. Read on to know more…
Recently, a cybersecurity researchers discovered a new Peer-to-Peer (P2P) based FritzFrog botnet that breached at enterprise and government servers. Guardicore, an Israeli firm discovered a unique, P2P botnet that has breached Secure SHell servers (SSH) in the government, education and financial sectors since the beginning of 2020.
To date, it has successfully infiltrated some 500 servers through brute force attacks and spread to “tens of millions” of IP addresses in government agencies, educational institutions, medical facilities, financial firms and telecoms, Ophir Harpaz, a Guardicore security researcher, said in a blog post.
About FritzFrog Botnet
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or point-of-failure. Researchers reveal details about the unique P2P botnet that drops backdoors and cryptominers on targeted systems. Active since January 2020, FritzFrog is a Golang-based modular, multi-threaded and fileless threat; it leaves no trace on the infected machine’s disk. So far, over 20 malware samples have been detected in the wild. The malware has attempted to brute-force a minimum of 500 SSH servers belonging to the government, education, financial, medical, and telecom players worldwide. The botnet is a decentralized one that helps it avoid having one point-of-failure, and primarily mines for Monero cryptocurrency using XMRig miner.
Part of what makes the malware — dubbed FritzFrog and written in the open source Go language — a one-off is that it is proprietary and written from scratch, it’s modular, multi-threaded and fileless and leaves no trail on infected machines, according to Guardicore, which has found 20 different versions of the malware executable.
Recent P2P Malware Attacks
Recent attack trends show that threat actors have improved their tactics to leverage botnets for DDoS attacks and other malicious behavior.
In June 2020, the Mozi malware was observed targeting IoT devices, predominantly routers and DVRs, under many of its contributing families, including Mirai, Gafgyt, and IoT Reaper. These malware families were brought together to form a P2P botnet capable of DDoS attacks, data exfiltration, and command or payload execution. In April 2020, researchers identified DDG coin-mining botnet, which is thought to be the world’s first P2P-based cryptomining botnet.
The researchers also found some resemblance between FritzFrog and Rakos, a previously-seen P2P botnet, first discovered in December 2016.
Mitigation
Guardicore Labs has developed a client program written in Golang can intercept FritzFrog’s P2P communication, as well as joining as a network peer. Moreover, FritzFrog attacks can be prevented by using strong passwords and public key authentication. Affected users can remove FritzFrog’s public key from the authorized_keys file and also change or disable their SSH port — if the service is not in use — to fend off FritzFrog attacks.