FritzFrog, a peer-to-peer Golang botnet, has resurfaced since its original discovery back in August 2020. Since December 2021, FritzFrog has been discovered to have infected over 1,500 hosts, with most of the compromised systems being in China or other East Asia countries.
FritzFrog attacks start with brute forcing SSH on the target system. If a successful login is discovered, FritzFrog will log in to the device, drop and execute a file, and then immediately start scanning thousands of internet IP addresses, looking for open 22 or 2222 ports. During this infection chain, FritzFrog will also drop a Monero crypto miner on the device and starting using the victim’s processing power to mine cryptocurrency for the threat actor.
This newest version of FritzFrog has quite a number of differences from the campaign found in August of 2020. The copy mechanism that FritzFrog uses during the initial infection has changed, opting to use SCP to copy itself to the remote server instead of using the cat command over an established SSH session. FritzFrog has also added the capability to proxy outgoing SSH connections using the Tor proxy chain in an effort to conceal the true identity of infected systems. The malware has also added the capability to track WordPress servers to be used for follow-up attacks. While these last two functionalities have been added to FritzFrog, they do not appear to be actively used by the malware yet. This could show the threat actor’s desire to expand the botnet’s use in the future beyond just cryptomining.