Researchers at Guardicore Labs have discovered a sophisticated peer-to-peer (P2P) botnet actively targeting SSH servers worldwide since at least January 2020.
The botnet, dubbed FritzFrog, has been observed attempting to brute-force and spread to tens of millions of IP addresses including those belonging to government offices, banks, telecom companies, medical centers, and educational institutions. So far, FritzFrog has breached at least 500 SSH servers at multiple well-known universities in the US and Europe and one railway company, according to Guardicore.
Like other P2P botnets, FritzFrog does not have a centralized command-and-control infrastructure. Instead, control is distributed among all nodes on the network, with each node having the ability to target systems and to communicate with and update each other, over an encrypted channel. Security experts consider such botnets a lot harder to take down than centralized botnets because they don't have one single point of failure or point of control.
Multiple features though make FritzFrog different from — and more dangerous than — other botnets. The malware, which is written in the GO programming language, operates completely in memory. The malware leaves no traces on disk because it assembles and executes payloads and shares files all in-memory.
Each node on the FritzFrog botnet stores a constantly updated database of targets, breached machines, and peers. Guardicore's analysis shows that no two nodes on the botnet attempt to attack the same target machine. Instead they use a sort of "vote-casting" process to distribute targets evenly across the network, the security vendor says. Once on a system, the malware drops a backdoor that allows attackers to potentially regain access to a compromised machine even if the malware is removed.
Significantly, FritzFrog's P2P implementation also appears to have been developed from scratch and relies on no known protocols, suggesting its developers are highly sophisticated, Guardicore said in a report Wednesday.
"FritzFrog is not the first fileless bot; but it might be the first fileless P2P botnet," says Ophir Harpaz, security researcher at Guardicore. The malware's completely in-memory file-transfer system "is a torrent-like approach that we've rarely - and perhaps never - seen previously used in malware."
Harpaz says that the FritzFrog samples that Guardicore analyzed show the malware to be currently executing a Monero cryptominer. However, it is highly unlikely that the miner is a top priority for the attackers, she says. What seems much more probable is that the attackers are interested in obtaining access to and gaining control over breached SSH servers so they can sell access to these servers in underground markets.
"Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service," Harpaz says. "Since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet," and be used for distributing malware or other malicious activity.
According to Guardicore, each node on the FritzFrog botnet is capable of launching brute-force password guessing attacks to try and break into SSH servers. The dictionary of credentials that Guardicore uses to brute-force its way into systems is more extensive than that normally used by P2P botnets.
Disrupting the FritzFrog botnet can be challenging since each node on the network effectively functions like a command-and-control server, Harpaz says. "In the regular client-server botnets, taking down the single command and control server will remove the stinger from the bee. This is not the case with P2P networks," she says.
Guardicore has released a detection script that organizations can use to check for the presence of the malware on SSH servers.
P2P botnets like FritzFrog continue to be relatively rare. However they are a growing threat. One of the more notable examples of a P2P botnet is DDG, a cryptomining botnet that researchers from NetLab first reported in Jan 2018. The botnet started off as a typical, centrally controlled network of infected machines. But it has kept constantly evolving and now has a P2P communications capability though it also uses a static C2 server.
Mozi, an IoT botnet that researchers at CenturyLink discovered earlier this year is another example. The malware combines code from three older IoT malware variants — Mirai, Gafgyt, and IoT Reaper — and grew to about 2,200 nodes at its peak.