Threat Watch

FritzFrog Botnet

Cybersecurity researchers from Guardicore Labs have discovered a new multi-functional peer-to-peer (P2P) botnet written in the programming language Golang that has been actively targeting SSH servers since January 2020. Named “FritzFrog,” this modular, multi-threaded and file-less botnet has successfully breached over 500 servers so far including well-known universities in the US and Europe and a railway company, according to Guardicore. In addition to implementing a made from scratch P2P protocol, communications are done through an encrypted channel with the malware package creating a backdoor to the victims’ systems for continued access by the attackers. Although Golang-based botnets have been observed before, what makes FritzFrog unique is that it’s fileless, meaning that it assembles and executes payloads in memory, is more aggressive in carrying out brute-force attacks, while also being efficient by distributing the targets evenly within the botnet.

ANALYST NOTES

The primary enabler of the FritzFrog attacks is through cracking weak passwords. To better secure systems from this botnet, SSH server administrators should require certificate-based authentication or strong passwords that are at least 12 characters long, use uppercase and lowercase letters, numbers, and special characters. It is also advised that if multi-factor authentication is available, it should be always be used. Routers and IoT devices that expose SSH are also vulnerable to FritzFrog, so administrators should consider changing the SSH port and limiting the range of IP addresses that can connect to it, or completely disabling SSH access if not in use.

Source article: https://thehackernews.com/2020/08/p2p-botnet-malware.html?&web_view=true