A newly discovered sophisticated peer-to-peer (P2P) botnet targeting SSH servers is using a proprietary protocol, Guardicore Labs security researchers explain.
Dubbed FritzFrog, the botnet has been active since January 2020, compromising targets via a worm written in Golang. Modular in nature, the threat uses fileless infection, to avoid leaving traces on disk.
FritzFrog was observed brute-forcing millions of IP addresses, and has infected over 500 servers, including ones of well-known universities in the U.S. and Europe, and a railway company. The threat also targeted government offices, education and finance organizations, medical centers, banks, and telecom companies.
On the infected servers, the malware creates a backdoor in the form of an SSH public key, for ongoing access. Guardicore Labs, which has identified nearly two dozen versions of the malware executable, notes that the bots are constantly communicating over an encrypted channel.
What makes the threat unique compared to other P2P botnets is a fileless infection, constantly updated databases of targets and breached machines, brute-force attacks using an extensive dictionary, even distribution of targets among nodes, and the use of a completely proprietary protocol.
Upon infection, the malware starts running on the new victim system, under the names ifconfig and nginx, and immediately erases itself. It listens for commands on port 1234, with the initial commands ensuring the victim machine is synced with the database of network peers and targets.
To hide traffic, the connection is made over SSH, through a netcat client that receives commands as input. The botnet includes support for more than 30 different commands.
“Nodes in the FritzFrog network keep in close contact with each other. They constantly ping each other to verify co ..
Support the originator by clicking the read the rest link below.
