FritzFrog – A New Generation of Botnets Enter the Scene
Guardicore Labs has discovered a new botnet campaign as part of their ongoing Botnet Encyclopedia research, named ‘FritzFrog.’ First discovered January 9th, 2020, FritzFrog is a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SHH servers. Written in Golang, the malware worm executed by FritzFrog is modular, multi-threaded and fileless, leaving no traces of its existence on the disks of infected machines. FritzFrog itself is completely proprietary, as its P2P implementation is written completely from scratch, providing evidence that its creators are highly professional software developers. The botnet seems to be actively targeting government, education, and finance sectors ,as it has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medicals centers, banks, and numerous telecom companies. Among those, it has successfully breached more than 500 servers, infecting well-known universities in the United States and Europe.
With its decentralized nature, FritzFrog can distribute control amongst all its nodes. The network it creates has no single point-of-failure and peers constantly communicate with each other to keep the network alive, resilient and up to date. The P2P traffic used for communication is done over an encrypted channel that utilizes AES for symmetric encryption and the Diffie-Hellman protocol for key exchange. It is more aggressive in its brute-force attempts yet stays efficient by distributing targets evenly within the network. The Golang malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim’s machines, and since the discovery of the campaign in early January of this year, Guardicore Labs has identified twenty different versions of the malware executable. Guardicore Labs also provides a GitHub Repository containing a detection script as well as a detailed list of IOCs for this campaign. FritzFrog is considered to be a “next generation” botnet due to its fileless nature, ability to constantly update, its efficient and aggressive nature, and its proprietary P2P protocol.
Sources:
Indicators of Compromise (IOCs):