A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world, since at least January 2020. Written in Golang, FritzFrog is both a worm and a botnet that targets government, education, and finance sectors.
The attack has already managed to infiltrate over 500 servers in the U.S. and Europe, of universities and a railway company.
The advanced nature of FritzFrog lies in its proprietary and fileless P2P implementation written from scratch.
Fileless, serverless yet so efficient
The malware assembles and executes the malicious payload entirely in-memory, making it volatile.
Moreover, its custom P2P implementation means, there is no single Command & Control (C&C) server sending instructions to FritzFrog. It’s decentralized and self-sufficient.
Despite the aggressive brute-force tactics employed by FritzFrog to breach SSH servers, it is strangely efficient by targeting a network evenly.
Guardicore Labs has been keeping tabs on FritzFrog for the past few months using their honeypot network.
“We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary,” states the company in a newly published report authored by security researcher Ophir Harpaz.
In their quest to identify a centralized C&C architecture powering the botnet, the company soon realized there was none.
To better understand FritzFrog and its capabilities, Guardicore Labs designed an interceptor written in Golang called frogger which could participate in malware’s key-exchange process and both receive and send commands.
“This program, which we named frogger, allowed us to investigate the nature and scope of the network. Using frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic,” states the report.
That is how Guardicore Labs deduced the malware campaign had brute-forced access to millions of SSH IP addresses belonging to institutions like medical centers, banks, telecom companies, educational and governmental organizations.
FritzFrog attack mechanics
Because most enterprise firewalls and endpoint security products can get readily suspicious of irregular ports, FritzFrog doesn’t use a non-standard port outright.
Guardicore Labs had previously explained, the malware first tries connecting to a target server over SSH ports 22 or 2222. Further, it adds the attacker’s public SSH keys to the authorized_keys on this compromised machine.
After succeeding, FritzFrog then launches a netcat client on port 1234 on the compromised server which further connects to the malware’s server.
“From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware,” states the report published by Guardicore Labs.
https://csirt.cy/wp-content/uploads/2020/08/FritzFrog-300x145.jpg 300w, https://csirt.cy/wp-content/uploads/2020/08/FritzFrog-768x370.jpg 768w" alt="" width="799" height="385" class="size-full wp-image-6791 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
FritzFrog attack workflow uses netcat on a compromised server
FritzFrog also communicates over an encrypted channel with over 30 commands (shown below).
The malware uses the Diffie-Hellman algorithm for its secret key exchange functionality.
Commands and responses are semt as serialized JSON objects. Whereas, before the data can be transferred between nodes, it is encrypted symmetrically using AES and further encoded with base64.
Nodes in the FritzFrog botnet regularly ping each other to ensure connectivity and stay synchronized. A state-of-the-art “vote-casting” process employed by the nodes efficiently distributes the workload so that no two nodes would be brute-forcing the same target machine at a given time.
https://csirt.cy/wp-content/uploads/2020/08/FritzFrog_cmds-300x255.jpg 300w" alt="" width="584" height="496" class="size-full wp-image-6793 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
Commands used by FritzFrog botnet
FritzFrog is a persistent cryptominer
Once in the volatile memory of a target machine, the malware spawns multiple threads which in turn facilitate the malware’s replication, deployment, and growth.
For example, one of the spawned threads (“Cracker”) is tasked with brute-forcing other targets, another one called “DeployMgmt” deploys the malware on successfully breached systems, while yet another (“Owned”) adds the infected node to the P2P network.
Moreover, FritzFrog eliminates competition with its thread “Antivir” trying to kill CPU-intensive processes which have references to “XMR” (Monero).
That’s because it’s got an agenda of its own: to deploy a “libexec” thread on the system, which is a Monero cryptominer.
“The miner is based on the popular XMRig miner and connects to the public pool web.xmrpool.eu over port 5555,” states Guardicore Labs’ report.
With such advanced, self-contained capabilities, FritzFrog is therefore both a worm and a botnet.
To ensure persistence after boot, the malware already has a backdoor: the SSH public key it had previously added to the authorized_keys file.
The entire army of botnet uses the same public SSH key shown below, which is one of the Indicators of Compromise (IOCs)
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDJYZIsncBTFc+iCRHXkeGfFA67j+kUVf7h/IL+sh0RXJn 7yDN0vEXz7ig73hC//2/71sND+x+Wu0zytQhZxrCPzimSyC8FJCRtcqDATSjvWsIoI4j/AJyKk5 k3fCzjPex3moc48TEYiSbAgXYVQ62uNhx7ylug50nTcUH1BNKDiknXjnZfueiqAO1vcgNLH4qfq Ij7WWXu8YgFJ9qwYmwbMm+S7jYYgCtD107bpSR7/WoXSr1/SJLGX6Hg1sTet2USiNevGbfqNzci NxOp08hHQIYp2W9sMuo02pXj9nEoiximR4gSKrNoVesqNZMcVA0Kku01uOuOBAOReN7KJQBt
When a need arises to share files among nodes, the malware uses a ‘fileless’ approach. It carefully splits files into binary blobs with checksums in place to ensure their integrity, and transmits these instead, as the report explains:
“To share and exchange files between nodes, Fritzfrog uses a stealthy, fileless approach. Files are split into blobs – bulks of binary data – which are kept in memory. The malware keeps track of the available blobs by storing them in a map together with each blob’s hash value.”
https://csirt.cy/wp-content/uploads/2020/08/FritzFrog_shares-300x112.jpg 300w, https://csirt.cy/wp-content/uploads/2020/08/FritzFrog_shares-1024x384.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/08/FritzFrog_shares-768x288.jpg 768w" alt="" width="960" height="360" class=" wp-image-6795 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
FritzFrog file sharing via ‘fileless’ binary blobs
Each P2P node can survey another for a list of blobs it holds (representing files) using via the getblobstats command.
On receiving the response with a list of blob hashes, one node can then retrieve each blob from the other node by making a request to http://[IP of the node with the blob]:1234/[blob hash]
One by one, all the blobs are received in this manner by the requestor node and joined together to produce a file. This is done by the “Assemble” thread.
Detection and remediation
When analyzed by the researchers at Guardicore Labs, the malware is unique given its distributed nature.
While other botnets such as IRCflu have used IRC or like DDG, have operated using files, FritzFrog exhibits none of these behaviors.
The report does acknowledge, however, “If any, it bears some resemblance – especially with regards to function naming and version numbers – to Rakos, a P2P botnet written in Golang and analyzed by ESET back in 2016.”
Guardicore Labs has provided a simple script that can be used to detect FritzFrog infections. Both the script and a list of FritzFrog IoCs have been published on GitHub.
“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats,” concludes their report.