The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors.
The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably.
Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.
Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers.
Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites.
Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis.
FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.
