FritzFrog botnet infected at least 500 government and corporate servers

The main goal of FritzFrog is cryptocurrency mining.

Guardicore Labs has published a report on the activity of the relatively new P2P botnet FritzFrog. Which in 2020 managed to infect at least 500 government and corporate SSH servers.

The botnet was first spotted in January this year. Over the past eight months, FritzFrog has carried out multiple brute force attacks on SSH servers belonging. To government agencies, telecommunications, financial companies, and healthcare and education companies around the world. At least 500 attacks were successful.

FritzFrog is a decentralized botnet that uses P2P protocols to manage its nodes.

After the SSH server is hacked, fileless malware is loaded onto the system and executed only in memory. Therefore, Turning the device into a bot capable of receiving and executing commands. Also, The FritzFrog malware is unpacked on the system under the names ifconfig and nginx. And is launched as a command-pending startup process listening on port 1234. These commands are easy enough to detect. So the attackers connect to the victim via SSH and launch the Netcat client.

All commands are transmitted in encrypted form. The first connects the device to an existing botnet. While the rest are used to install the backdoor, monitor the network, PC and CPU resources.

Furthermore,The main goal of FritzFrog is cryptocurrency mining. To do this, the botnet uses Monero mining software called XMRig. If the processes on the server are using too many CPU resources. FritzFrog will terminate them to provide power to the miner.

According to experts, FritzFrog uses a proprietary P2P protocol, which may indicate the high professionalism of its developers. Guardicore Labs was unable to find concrete evidence of any group’s involvement in the botnet. But they did find some similarities between FritzFrog and the Rakos botnet discovered in 2016.

Leave a Reply