FritzFrog P2P Botnet Already Breached 500 SSH Servers
Cyber threats based on peer-to-peer (P2P) botnets have increased significantly in recent years. Recently, Guardicore released a report about a newly-discovered sophisticated P2P botnet.
The FritzFrog botnet
Researchers reveal details about the unique P2P botnet that drops backdoors and cryptominers on targeted systems.
- Active since January 2020, FritzFrog is a Golang-based modular, multi-threaded and fileless threat; it leaves no trace on the infected machine’s disk.
- So far, over 20 malware samples have been detected in the wild. The malware has attempted to brute-force a minimum of 500 SSH servers belonging to the government, education, financial, medical, and telecom players worldwide.
- The botnet is a decentralized one that helps it avoid having one point-of-failure, and primarily mines for Monero cryptocurrency using XMRig miner.
The researchers also found some resemblance between FritzFrog and Rakos, a previously-seen P2P botnet, first discovered in December 2016.
Recent P2P malware attack
Recent attack trends show that threat actors have improved their tactics to leverage botnets for DDoS attacks and other malicious behavior.
- In June 2020, the Mozi malware was observed targeting IoT devices, predominantly routers and DVRs, under many of its contributing families, including Mirai, Gafgyt, and IoT Reaper.
- These malware families were brought together to form a P2P botnet capable of DDoS attacks, data exfiltration, and command or payload execution.
- In April 2020, researchers identified DDG coin-mining botnet, which is thought to be the world's first P2P-based cryptomining botnet.
Guardicore Labs has developed a client program written in Golang which is capable of intercepting FritzFrog’s P2P communication, as well as joining as a network peer. Moreover, FritzFrog attacks can be prevented by using strong passwords and public key authentication. Affected users can remove FritzFrog’s public key from the authorized_keys file and also change or disable their SSH port (if the service is not in use) to fend off FritzFrog attacks.