News

Sophisticated, Fileless & Aggressive New P2P Botnet Infects Servers Worldwide

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

An extremely sophisticated new peer-to-peer (P2P) botnet - FritzFrog - has been breaching Secure Shell (SSH) servers around the world since January this year.

In that time it has attempted to brute force and spread to tens of millions of IP addresses, including those of governmental offices, banks, medical centers, educational institutions and telecom companies, and has successfully breached 500+ servers, infecting universities in Europe and the US, among others.

Researchers at security firm Guardicore Labs, who discovered the botnet, believe the attackers are high level software developers: "The malware, which is written in Golang, is completely volatile and leaves no traces on the disk. It creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victims' machines. Since the beginning of the campaign, we identified 20 different versions of the malware executable."

Like other P2P botnets, FritzFrog distributes its workload across many infected nodes rather than just one, in the process creating a decentralised network with no one single point-of-failure which can bring down the entire network. P2P communication is achieved via an encrypted channel and uses AES (Advanced Encryption Standard) for symmetric encryption, with the Diffie-Hellman protocol for key exchange.

Unlike many other P2P botnets, however, FritzFrog has its own unique properties.

"It is fileless, as it assembles and executes payloads in-memory," stated Guardicore researcher, Ophir Harpaz. "It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network. Finally, FritzFrog’s P2P protocol is proprietary and is not based on any existing implementation."

Guardicore Labs are unsure of the origins of the FritzFrog botnet, but found some resemblance to Rakos, a P2P botnet discovered in Dec 2016, which infected Linux servers and Linux-based IoT devices.

Read Guardicore Labs' full report.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203