Rewterz Threat Alert – FritzFrog Botnet Attacking Millions of SSH Servers

Severity

Medium

Analysis Summary

The unique, advanced worming P2P botnet drops backdoors and cryptominers, and is spreading globally. SSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike. According to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total.
FritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. Once the server is compromised, the malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines. It has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there’s no single point-of-failure and no command-and-control server (C2). Almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn’t use IRC like IRCflu; it operates in-memory unlike another cryptomining botnet, DDG; and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.

Once the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet. Instead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim’s machine. From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware. The malware also spawns multiple threads to perform various tasks simultaneously, assigning different tasks to different modules. Researchers suspect that the botnet aims to deploy cryptominers.

Impact

• Device Takeover
• Server Compromise
• Detection Evasion 

Indicators of Compromise

MD5

• 3fe7b88a9ba6c5acee4faae760642b78
• b2e0eede7b18253dccd0d44ebb5db85a
• 0263de27fd997a4904ee4a92f91ac733
• c947363b50231882723bd6b07bc291ca
• 799c965e0a5a132ec2263d5fea0b0e1c
• d4e533f9c11b5cc9e755d94c1315553a
• ae747bc7fff9bc23f06635ef60ea0e8d
• 819b0fdb2b9c8a440b734a7b72522f12
• 3a371a09bfcba3d545465339f1e1d481
• aa55272ad8db954381a8eab889f087cf
• 76fe4fdd628218f630ba50f91ceba852
• 4842d5cc29c97aa611fba5ca07b060a5
• 100bff2f4ee4d88b005bb016daa04fe6
• 682ac123d740321e6ba04d82e8cc4ed8
• 97cfb3c26a12e13792f7d1741309d767
• 8f0cb7af15afe40ed85f35e1b40b8f38

SHA-256

• 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
• 7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
• 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
• 985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
• 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
• 7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
• 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
• 30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
• 2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
• d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485
• 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
• 9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
• 90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
• 453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
• 5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
• 3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5

SHA1

• bae245bc98c516604838c6ce5a233f066de44a50
• ee5db9590090efd5549e1c17ec1ee956ef1ed3d1
• da090fd76b2d92320cf7e55666bb5bd8f50796c9
• 7b9a425f09da9be5dda5facff18c5fd15eed253a
• a15c5a706122fabdef1989c893c72c6530fedcb4
• 9e15020cd2688b537bae18e5f291ee8cbe9a85e7
• 64315e834f67905ed4e47f36155362a78ac23462
• f3aff7e1c44d21508eb60797211570c84a53597a
• 7f5712878929aab6a2ab297072a5a5f3d3c15a01
• d7df26bf57530c0475247b0f3335e5d19d9cb30d
• 6e90f2fe619597115e5b8dd8b0d1fb0c8ad33fa4
• f93772038406f28fa4ca1cfb23349193562414b2
• 36e5f8f70890601aa2adaffb203afd06516097f0
• 088a8c8c2b7f9db92ec0ae39e1dc77c8707d3895
• a010f85cdda9f83cbc738eb1b41cd621f3d6018e
• 525f97d6e7e3cbb611a1cf37e955c0656f4b3c06

Remediation

• Choose strong passwords and use public key authentication, which is much safer.
• Consider changing the SSH port or completely disabling SSH access to routers and IoT devices if the service is not in use.
• Block the threat indicators at their respective controls. 
• Avoid downloading untrusted files and do not enable macros for such files.