There is a new highly sophisticated peer-to-peer (P2P) botnet, called FritzFrog discovered by cloud security company, Guardicore, which has been actively breaching SSH servers worldwide since January 2020.
FritzFrog’s P2P protocol is uniquely proprietary and it's not based on existing implementation. While the modular, multi-threaded and fileless botnet, has breached over 500 servers to date, affecting well-known universities in the United States and Europe, according to a report released by Guardicore Labs.
Unlike other similar P2P botnets, FritzFrog have some unique properties: the fact that it is fileless, and as it assembles and executes payloads in-memory. It is rather more aggressive in its brute-force attempts, and yet, efficient in distributing targets evenly within the network.
What's A Fileless P2P Botnet?
As P2P communication happens over an encrypted channel, using AES for symmetric encryption and Diffie-Hellman protocol for key exchange, FritzFrog creates a backdoor in the form of an SSH public key, thus enabling the attackers access to victim machines.
FritzFrog executes a worm which is written in Golang, and it's modular, multi-threaded and fileless, with no trace on the infected machine’s disk. Albeit, FritzFrog appears to share similarities with Rakos, another Golang-based Linux backdoor that previously infiltrate target systems via brute force attempts at SSH logins.
The malware performs a series of tasks involving brute-force once a target is identified, infecting the machine with payloads upon a successful breach, with the victim added to the P2P network.
And the authors employed a creative technique to evade detection, instead of sending commands directly over port 1234, the commands are sent to the victim in this manner: attacker connects to the victim over SSH and runs a netcat client on the victim’s machine, and in turn connects to the malware’s server.
How to Detect FritzFrog Infection and Mitigate against it
Guardicore Labs has developed a client program in Golang which is fully capable of intercepting FritzFrog’s P2P communication, as well as joining as a network peer.
It is recommended that strong passwords and public key authentication should be used on SSH servers, which is much more secure and safer. And routers and IoT devices that often expose SSH are vulnerable to FritzFrog, therefore users should consider changing their SSH port or disabling SSH access completely if the service is not in use.