FritzFrog is a peer-to-peer botnet, meaning its command and control server is not confined to a single, centralized machine, but can be controlled from any machine in its distributed network. In other words, any host running the malware process becomes part of the network and is able to send, receive, and execute commands to control machines on the network.
FritzFrog spreads via SSH. Once it finds a server’s credentials using a simple (but aggressive) brute-force technique, it establishes an SSH session with the new victim and drops the executable malware on the host. The malware then starts listening and waiting for commands. These commands include exchanging targets, sharing details about compromised machines and transferring files, as well as executing scripts and binary payloads.
Immediately after the release of the details (August 2020) about the FritzFrog P2P botnet responsible for mass brute force attacks on SSH servers, the Guardicore Labs team (now Akamai Threat Labs) observed a sharp drop in attack activity . At the beginning of December 2021, the attacks rose sharply again.
The decentralized botnet attacks any device that provides open access to an SSH service – cloud instances, servers in data centers, routers, etc. – and can run any type of malware on infected nodes.
A FritzFrog attack starts with an SSH brute force attack and continues with a file being dropped and executed. This file immediately starts listening on port 1234 and scanning thousands of internet IP addresses over port 22 and 2222.
One difference between the old FritzFrog attacks and the new attacks is the name of the malicious process. In the first round of attacks, the malicious process was called ifconfig or nginx; this time the FritzFrog operators chose the name apache2.
FritzFrog has released a new version that implements the infrastructure for tracking WordPress servers. It contains functions responsible for adding and removing entries in lists titled WordPress and WordPressTargetsTTL. At the time of writing this report, these lists – stored on all infected nodes – were still empty.
Some of the key recent observations:
- The peer-to-peer architecture and the independent code of the botnet are on a high technical level.
- Its propagation speed has increased 10-fold in a month, infecting servers in the healthcare, education and government sectors.
- Since the botnet was revived, 1,500 host computers have been infected, mostly in China.
- Spread across the web, Golang malware adds new functionalities to the botnet, e.g. B. Using a proxy network and compromising WordPress servers.
- The current wave of attacks provides further clues to the origin of FritzFrog with a potential connection to an actor operating in China or claiming to be based in China.
- Akamai Threat Labs has updated the FritzFrog detection tool to combat the latest version of the malware.