New FritzFrog Botnet Attacks Millions of SSH Servers

On August 19, 2020, a new peer-to-peer (P2P) botnet, tracked as “FritzFrog,” was observed targeting governments, educational institutions, medical centers, telecom companies, and finance organizations. FritzFrog’s primary goal is to mine for cryptocurrency using the “XMRig” miner, which is deployed and connected to the public pool “web.xmrpool[.]eu” over port 5555. This campaign was identified by security researchers as part of their ongoing Botnet Encyclopedia research. The researchers observed that these new attacks appeared when malicious processes, named “ifconfig” and “nginx,” were executed. The researchers also identified 20 different versions of the malware executable since January 2020. Based on FritzFrog’s historical data, the malware has successfully breached more than 500 SSH servers, with the vast majority of the targets located at well-known universities in the US and Europe,.

FritzFrog gains access to victims’ systems by executing a worm malware which is written in the Golang programming language. The malware is modular, multi-threaded, and fileless, and leaves no trace on the infected machine’s disk. Upon execution, the malware creates a backdoor in the form of an SSH public key which enables attackers’ ongoing access to victim machines. FritzFrog also implements an encrypted command-and-control (C2) channel with over 30 different commands. The commands are capable of joining the victim machine to the existing database of network peers and slave nodes, adding a public SSH-RSA key to the “authorized_keys” file to establish a backdoor, which allows the malware to run shell commands to monitor a victim PC’s resources, CPU usage, and network.

To intercept the FritzFrog network, researchers developed a client program named “frogger,” which is written in the Golang programming language. This program is able to perform the key-exchange process with the malware and is capable of sending commands and receiving their outputs. At the time of writing, there is no strong evidence to attribute the FritzFrog botnet to a specific threat actor, but researchers have found some resemblance to a previously-seen “Rakos” P2P botnet. The indicators of compromise and a detection script were released by Guardicore Labs on their GitHub repository to help the detection of FritzFrog botnet. Guardicore Labs GitHub: https://github.com/guardicore/labs_campaigns/tree/master/FritzFrog

Detection & Mitigation:

– Running processes nginx, ifconfig, or libexec who’s executable file no longer exists on the file system.

– Listening port 1234

– Changing SSH access to a non-standard port or disabling SSH on devices if the service is not used

– Utilize Strong Passwords and Public Key Authentication

– Block traffic to domain xmrpool[.]eu

In addition, TCP traffic over port 5555 can indicate network traffic to the Monero mining pool.