Researchers at Guardicore have identified a peer-to-peer (P2P) botnet, dubbed FritzFrog, brute-forcing SSH servers since January. Once breached, a worm is executed to run malicious payloads which can further expand the botnet by compromising additional devices as well as dropping cryptominers. It is recommended to ensure strong passwords for SSH are in place as weak passwords are far more likely to be breached.
Technical detail and additional information
What is the threat?
The FritzFrog botnet attempts to breach Unix based devices over SSH by using an extensive dictionary of usernames and passwords. Once breached, malware is unpacked and immediately erased to avoid detection. The processes run under the names of nginx and ifconfig and begins listening for commands on port 1234. To avoid its traffic being blocked by a firewall, attackers can connect over SSH to run a netcat client on the device which communicates with the botnet to receive instructions and payloads. The malware also adds a public SSH-RSA key to enable future access in case of password changes. Once established, the malware periodically runs to monitor system resources which allow it to identify if hosts will be used for cryptomining, or if they will remain a part of the FritzFrog botnet, distributing commands and breaching new devices.
Why is this noteworthy?
FritzFrog is noteworthy because it is fileless, with files being split into groups of binary data which are kept in memory to evade detection, and proprietary. All protocols used are unique to the botnet and have not been observed in the wild previously indicating sophisticated attackers who have experience in software development. Additionally, since FritzFrog is P2P based, there is no single server that can be taken down to stop the botnet, all affected devices are in constant communication to relay status and efficiently distribute its work, both cryptomining by capable devices and breaching new devices using an extensive dictionary of username and passwords, so tasks are completed efficiently and without repetition.
What is the exposure or risk?
FritzFrog has attempted to breach millions of SSH servers with success on at least 500 servers. Successfully breached servers remain exploited as long as the public key remains on the affected device regardless of if the password is changed or not. Due to its fileless nature and modularity, the malware leaves no trace on a devices disk and is able to evade detection from traditional antivirus applications. Successfully breached servers include educational institutions and a railway company among other devices in the US, Europe and China.
What are the recommendations?
SKOUT recommends the following to prevent similar attacks from being successful on devices in your environment:
- Ensure strong passwords are in place
- Consider obfuscating or disabling SSH where possible
If you believe your SSH server(s) may have been breached, Guardicore has released a detection tool along with Indicators of Compromise (IOCs) at https://github.com/guardicore/labs_campaigns/blob/master/FritzFrog/README.md. The detection tool checks for a running process in relation to the worm in addition to checking if port 1234 is listening. If both conditions are met, it is likely the machine is infected and should be remediated. In the case of exploited devices, users should:
- Disable the related processes
- Block ports 1234 and 5555
- Block the domain xmrpool[.]eu
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.