A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January.
SSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.
According to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S.
“FritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk,” Harpaz explained, in a posting on Wednesday. Once the server is compromised, “the malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.”
It also can drop additional payloads, such as cryptominers.
Swimming in a Unique Pond
FritzFrog is a P2P botnet, meaning that it has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there’s no single point-of-failure and no command-and-control server (C2).
“FritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,” Harpaz said. She added, “The P2P protocol is completely proprietary, relying on no known P2P protocols such as μTP.”
As far as the other technical details go, Guardicore analyzed the botnet by injecting its own nodes into the mix, giving researchers the ability to participate in the ongoing P2P traffic and see how it was built.
They discovered that almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn’t use IRC like IRCflu; it operates in-memory unlike another cryptomining botnet, DDG; and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.
Additionally, its fileless payload is unusual. Harpaz wrote that files are shared over the network to both infect new machines and run new malicious payloads on compromised ones – and that this is accomplished completely in-memory using blobs.
“When a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,” according to the researcher. “Then, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs – it assembles the file using a special module named Assemble and runs it.”
One the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet: “Instead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim’s machine,” according to the analysis. “From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware.”
Meanwhile, the botnet constantly updates itself with databases of targets and breached machines as it worms through the internet.
“Nodes in the FritzFrog network keep in close contact with each other,” Harpaz noted. “They constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to ‘crack’ the same target machine.”
Further, it was built with an extensive dictionary of breached names and passwords for brute-forcing purposes, making it highly aggressive (“By comparison, DDG, a recently discovered P2P botnet, used only the username ‘root,'” said Harpaz).
The malware also spawns multiple threads to perform various tasks simultaneously. For instance, an IP address in the target queue will be fed to a Cracker module, which in turn will scan the machine attached to the IP address and try to brute-force it; a machine which was successfully breached is queued for malware infection by the DeployMgmt module; and a machine which was successfully infected will be added to the P2P network by the Owned module.
In the event of a reboot of the compromised system, the malware leaves a backdoor behind, whose login credentials are saved by the network peers.
“The malware adds a public SSH-RSA key to the authorized_keys file,” according to the research. “This simple backdoor allows the attackers – who own the secret private key – for passwordless authentication, in case the original password was modified.”
The malware also monitors the file system state on infected machines, periodically checking for available RAM, uptime, SSH logins and CPU-usage statistics. Other nodes take this information and uses it to determine whether to run a cryptominer or not.
If it decides to run a cryptominer, the malware runs a separate process called “libexec” to mine the Monero cryptocurrency with an XMRig spinoff. Though this secondary infection is what the botnet has so far been used for, its architecture means that it could also install any other type of malware on infected nodes, should its authors decide to do so.
In all, FritzFrog is highly advanced, Harpaz said, but there’s a simple way to ward off a compromise: “Weak passwords are the immediate enabler of FritzFrog’s attacks,” she said. “We recommend choosing strong passwords and using public key authentication, which is much safer.”
Admins should also remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine, she said. And, “routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.”
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.