FritzFrog, a peer-to-peer Golang botnet, has resurfaced since its original discovery back in August 2020. Since December 2021, FritzFrog has been discovered to have infected over 1,500 hosts, with most of the compromised systems being in China or other East Asia countries.
FritzFrog attacks start with brute forcing SSH on the target system. If a successful login is discovered, FritzFrog will log in to the device, drop and execute a file, and then immediately start scanning thousands of internet IP addresses, looking for open 22 or 2222 ports. During this infection chain, FritzFrog will also drop a Monero crypto miner on the device and starting using the victim’s processing power to mine cryptocurrency for the threat actor.
This newest version of FritzFrog has quite a number of differences from the campaign found in August of 2020. The copy mechanism that FritzFrog uses during the initial infection has changed, opting to use SCP to copy itself to the remote server instead of using the cat command over an established SSH session. FritzFrog has also added the capability to proxy outgoing SSH connections using the Tor proxy chain in an effort to conceal the true identity of infected systems. The malware has also added the capability to track WordPress servers to be used for follow-up attacks. While these last two functionalities have been added to FritzFrog, they do not appear to be actively used by the malware yet. This could show the threat actor’s desire to expand the botnet’s use in the future beyond just cryptomining.
It is recommended to appropriately protect SSH on any system connected to the internet. If SSH is not required to be accessible from the internet, access to the SSH port should be blocked via a firewall to prevent external brute force attacks from occurring. If it is required to be accessible from the internet, there are a number of controls that can be put into place to prevent unauthorized access. These include disabling SSH access for root, implementing passwordless login and strong key rotation management, monitoring the authorized_hosts file, and configuring an explicit allow list of IPs that can log in via SSH. Appropriate system monitoring should be in place on all systems as well, as this can help detect the behavior specific to FritzFrog. Running processes using built-in binary names of executables that no longer exist on the system, devices listening on port 1234, and TCP connections over port 5555 are all behaviors of FritzFrog that can be monitored and alerted on. Binary Defense’s Managed Detection and Response service is a great asset to assist with these types of detection needs.