FritzFrog botnet returns to attack healthcare, education and government sectors

The FritzFrog botnet has reappeared with a new P2P campaign, showing 10x growth in just one month.

FritzFrog is a peer-to-peer botnet discovered in January 2020. Over an eight-month period, the botnet managed to hit at least 500 government and corporate SSH servers.

The P2P botnet, written in the Golang programming language, is decentralized in nature and will attempt to brute force servers, cloud instances and other devices – including routers – that have exposed entry points on the internet.

On Thursday, cybersecurity researchers from Akamai Threat Labs said that despite being silent after its previous wave of attacks, since December the botnet has reemerged with exponential growth.

“FritzFrog propagates over SSH,” say the researchers. “Once it finds a server’s credentials using a simple (but aggressive) brute force technique, it establishes an SSH session with the new victim and drops the malware executable on the host. The malware then starts listening and waiting for commands.”

A total of 24,000 attacks have been detected so far. And 1,500 hosts have been infected, the majority of which are located in China. The botnet is used to mine cryptocurrency.

The health, education and government sectors are all on the target list. Thanks to new features and the use of a proxy network, the malware is also ready to focus on websites running the WordPress content management system (CMS).

A television channel in Europe, a Russian manufacturer of health equipment and universities in Asia have been compromised.

Akamai considers FritzFrog a “next generation” botnet due to a number of key features. This includes consistent update and upgrade cycles, a comprehensive dictionary used in brute force attacks, and its decentralized architecture, described as “proprietary”. In other words, the botnet does not rely on other P2P protocols to operate.

The latest FritzFrog is updated daily – sometimes more than once a day. Apart from bug fixes, operators have included the new WordPress function to add websites based on this CMS to a target list.

However, at the time of writing, the listings are empty, suggesting this is an attack feature in the development pipeline.

Akamai is unsure of the origin of the botnet, but there are indications that the operators are either based in China or impersonate operators in the country. A newly added file transfer library, for example, links to a GitHub repository owned by a user in Shanghai.

Additionally, the botnet’s cryptocurrency mining activity is linked to wallet addresses also used by the Mozi botnet, in which operators have been arrested in China.

The cybersecurity company has provided a FritzFrog detection tool on GitHub.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Sam D. Gomez