Watch Out! FritzFrog Botnet Has Gone Aggressively Wild

The new variant 

• The new variant seems to possess additional capabilities to target WordPress servers. Further, it uses an extensive dictionary for brute-force attacks to uncover SSH credentials.
• The botnet continues to update its list of targets and breached machines. Its node distribution system makes sure to place an equal number of targets to each node for balancing the botnet.
• Researchers have spotted 24,000 attacks so far. However, the botnet has claimed only 1,500 victims. Most infected hosts are in China, along with a European TV network, a Russian healthcare firm, and multiple universities in East Asia.

New updates and abilities

• The botnet now uses a completely proprietary P2P protocol for its communications, which makes it stealthier than the previous variants.
• The attackers have used a filtering list to skip low-powered devices (e.g. Raspberry Pi boards).
• Besides the usual cryptomining, the operators are now using additional monetization methods, such as spreading ransomware or data leaks; however, these are inactive right now.
• Moreover, the copying system that was used to infect new systems is now based on Security Copy Protocol (SCP), replacing the cat command that existed in the earlier version.

A Chinese connection?

• The botnet uses unique code components, some of which can be linked with unique GitHub repositories set up by users from Shanghai.
• The wallet addresses used in mining operations were similar to the ones used by the Mozi botnet, which originated from China.
• Moreover, around 37% of all of FritzFrog's active nodes are based in China, suggesting that the attackers may be located there.

Conclusion