Sophisticated, Fileless & Aggressive New P2P Botnet Infects Servers Worldwide
An extremely sophisticated new peer-to-peer (P2P) botnet - FritzFrog - has been breaching Secure Shell (SSH) servers around the world since January this year.
In that time it has attempted to brute force and spread to tens of millions of IP addresses, including those of governmental offices, banks, medical centers, educational institutions and telecom companies, and has successfully breached 500+ servers, infecting universities in Europe and the US, among others.
Researchers at security firm Guardicore Labs, who discovered the botnet, believe the attackers are high level software developers: "The malware, which is written in Golang, is completely volatile and leaves no traces on the disk. It creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victims' machines. Since the beginning of the campaign, we identified 20 different versions of the malware executable."
Like other P2P botnets, FritzFrog distributes its workload across many infected nodes rather than just one, in the process creating a decentralised network with no one single point-of-failure which can bring down the entire network. P2P communication is achieved via an encrypted channel and uses AES (Advanced Encryption Standard) for symmetric encryption, with the Diffie-Hellman protocol for key exchange.
Unlike many other P2P botnets, however, FritzFrog has its own unique properties.
"It is fileless, as it assembles and executes payloads in-memory," stated Guardicore researcher, Ophir Harpaz. "It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network. Finally, FritzFrog’s P2P protocol is proprietary and is not based on any existing implementation."
Guardicore Labs are unsure of the origins of the FritzFrog botnet, but found some resemblance to Rakos, a P2P botnet discovered in Dec 2016, which infected Linux servers and Linux-based IoT devices.
Thanks for visiting SecAlerts and reading this story. We offer a free weekly CVE alert service, or an hourly service from $US20/mth, both of which include software updates and news relating to your software stack. Join more than 1,300 other users and sign up.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.