Analysis

FritzFrog, “the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes, botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts.

The new wave of attacks commenced in early December 2021, only to pick up pace and register a 10x growth in its infection rate in a month’s time, while peaking at 500 incidents per day in January 2022.

“Fritzfrog relies on the ability to share files over the network, both to infect new machines and run malicious payloads, such as the Monero crypto miner.

The botnet’s peer-to-peer (P2P) architecture makes it resilient in that every compromised machine in the distributed network can act as a command-and-control (C2) server as opposed to a single, centralized host. What’s more, the reappearance of the botnet has been accompanied by new additions to its functionality, including the usage of a proxy network and the targeting of WordPress servers.

The infection chain propagates over SSH to drop a malware payload that then executes instructions received from the C2 server to run additional malware binaries as well as gather system information and files, before exfiltrating them back to the server.

Effected Departments

  • Healthcare
  • Education
  • Government Sectors

Mitigation

  1. Get your password security under control (Eg.2FA).
  2. Try to avoid installation of third-party software’s.
  3. Keep software patched and updated.
  4. Perform regular system backups.
  5. Quarantining suspicious emails.
  6. Install Anti-virus software

Reference

 

  1. https://thehackernews.com/2022/02/fritzfrog-p2p-botnet-attacking.html
  2. https://otx.alienvault.com/indicator/domain/fritzfrog.com