FritzFrog – the next generation of botnets

[*]

Summary

  • Guardicore discovered a complex peer-to-peer (P2P) botnet FritzFrog, which has been actively hacking SSH servers since January 2020.
  • Malicious software on Golang: FritzFrog runs modular, multi-threaded and fileless malicious code on Golang that leaves no traces on the hard drive of an infected device.
  • Active targeting of government, educational, financial and other resources: FritzFrog tried to brute force and spread to tens of millions of IP addresses of government offices, educational institutions, medical centers, banks and many telecom companies. Among them, more than 500 servers were successfully attacked, including well-known universities in the US and Europe, and one railway company.
  • Complexity: FritzFrog is completely proprietary, its P2P implementation is written from scratch, which indicates a high level of professionalism of its creators in the field of software development.
  • Interception: Guardcore Labs has developed a Golang client program capable of intercepting FritzFrog’s P2P connections and connecting to the network like a peer.
  • Affiliation: We were unable to identify a specific group responsible for creating FritzFrog, however the current botnet is partially similar to the previously known Rakos botnet.

Introduction

FritzFrog is a very sophisticated peer-to-peer botnet that actively breaks into SSH servers around the world. Thanks to its decentralized structure, it distributes control across all its nodes. This network does not have a single point of failure, and peers constantly communicate with each other to keep it stable, updated, and constantly active. P2P connections are made over an encrypted channel using AES for symmetric encryption and Diffie-Hellman for key exchange.

Unlike other P2P botnets, FritzFrog is unique in its set of properties: it is fileless because it builds and executes packages directly in memory; despite the effective even distribution of targets in his network, he very aggressively brute-forces them; its proprietary P2P protocols are not based on any of the currently known implementations.

The malicious code written in Golang is very changeable and leaves no traces on the hard drive. It creates a backdoor in the form of a public SSH key and thereby gives attackers permanent access to the victim’s device. From the very beginning of its activity, we have identified 20 different versions of the executable malware.

In this post, we will explain how FritzFrog was exposed, as well as the nature of its P2P network and the inner workings of the malicious code – including the infection process, command encryption, and volatile behavior.

Guardicore Labs has provided access to Github repository with a script to detect this malware and a list of Indicators of Compromise (IoC) of its activity.


Geographic distribution of infected hosts. The most vulnerable countries were the United States, China and South Korea.

FritzFrog Research

For the first time Guardcore Labs drew attention to the activities of FritzFrog during the study Botnet encyclopedia… New attacks with malicious processes were discovered on January 9 ifconfig and nginx… We began tracking a steady and significant increase in malicious activity, which soon reached 13,000 attacks on the Guardcore Global Sensors Network (GGSN). We tracked 20 different versions of the FritzFrog binaries over the years.


The graph shows the number of FritzFrog attacks on GGSN.

Surprisingly, at first glance, the malicious code did not contact any command and control (CNC) server. It was only when we started to seriously investigate the botnet that we realized that there was no server at all.

To intercept the botnet network, Guardcore Labs developed a client on Golang that can exchange keys with malware, as well as send commands and receive responses. This program, which we then called “frogger”, allowed us to investigate the nature and purpose of the network, and thanks to the frogger we “added” our own nodes to the network, being able to connect to the botnet, and participated in the transmission of active P2P traffic data.

FritzFrog has been brute-forcing millions of IP addresses, including government offices, educational institutions, medical centers, banks and many telecom companies. Of these, more than 500 servers were successfully attacked, including well-known universities in the USA and Europe, and one railway company.

Next generation P2P

Why New Generation?

FritzFrog has a unique set of properties that make it stand out from other online threats:

  • Filelessness: FritzFrog works without a working directory and exchanges files directly in memory via binary data arrays (BLOBs).
  • Constant updates: Databases of targets and affected devices are updated smoothly and organically.
  • Aggressiveness: brute force is done using an extensive vocabulary. For example, the recently discovered P2P botnet DDG used only “root” in the login field.
  • Efficiency: Targets are evenly distributed among the nodes.
  • Proprietary: The P2P botnet protocol is completely proprietary and does not rely on any of the known P2P protocols such as μTP.

As soon as the victim is successfully hacked, UPX-packed malicious code is launched on it, which then immediately deletes itself. To minimize suspicion, malicious processes are executed under the names ifconfig and nginx. At the very beginning of its work, the malicious code listens on port 1234, waiting for commands. The first commands received synchronize the victim with the database of network peers and brute force targets.


FritzFrog host cluster. Each node is an infected SSH server. The size of the nodes demonstrates their connectivity to the rest of the network.

Traffic on a non-standard port, for example 1234, can be easily noticed and blocked by a firewall or any other security system. Therefore, the developers of FritzFrog approached the problem creatively and instead of directly sending commands through port 1234, the attacker connects to the victim via SSH and launches a client on the netcat device, which in turn connects to the botnet server. Thus, any command will be passed over SSH as netcat input and easily reach the malicious code.


FritzFrog tunnels its P2P commands through the classic SSH port using the local netcat client of the infected device.

FritzFrog attackers have deployed an encrypted command channel with over 30 different commands. Command parameters and responses are passed in specified data structures and released (“mobilized”) in JSON format. The data is encrypted with symmetric AES encryption and encoded in Base64 before being sent. The nodes involved in the data transfer use the Diffie-Hellman protocol to exchange keys.

The nodes in the FritzFrog network maintain close contact, constantly pinging each other to verify connectivity, peer and target exchange, and mutual synchronization. Nodes also engage in a clever electoral process that affects the distribution of brute force targets across the network. Observations from Guardcore Labs confirm that targets are evenly distributed across the network and no two nodes will try to hack the same target.

Diving into malicious code

The FritzFrog binary is an advanced malicious code on Golang. It works completely in memory, each node with malicious code stores the entire database of targets and peers in memory. The malicious code creates multiple threads to simultaneously process various tasks, as shown in the table below.

FritzFrog defines victim and target device control states as follows:

  1. Target: The device from the target request will then be passed to the Cracker module, which in turn will try to scan and crack it.
  2. Deploy: A successfully jailbroken device is queued for infection with malicious code via the DeployMgmt module.
  3. Owned: A successfully infected device will be added to the P2P network by the Owned module.

Each node with malicious code has a worker thread that is responsible for receiving commands, parsing them and passing them to the appropriate functions in the code.


A working function in a disassembler. Each branch corresponds to the supported P2P functionality.

The malicious code is temporary: even though it tries to survive system reboots, for future access to the hacked target, a backdoor is saved, whose login and password are stored by the peers on the network. Malicious code adds public SSH-RSA key to file authorized_keys… This simple backdoor allows an attacker – with a private, private key – to authenticate without a password, in case the original password is changed. The only public key FritzFrog uses is shown below.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJYZIsncBTFc+iCRHXkeGfFA67j+kUVf7h/IL+sh0RXJn7yDN0vEXz7ig73hC//2/71sND+x+Wu0zytQhZxrCPzimSyC8FJCRtcqDATSjvWsIoI4j/AJyKk5k3fCzjPex3moc48TEYiSbAgXYVQ62uNhx7ylug50nTcUH1BNKDiknXjnZfueiqAO1vcgNLH4qfqIj7WWXu8YgFJ9qwYmwbMm+S7jYYgCtD107bpSR7/WoXSr1/SJLGX6Hg1sTet2USiNevGbfqNzciNxOp08hHQIYp2W9sMuo02pXj9nEoiximR4gSKrNoVesqNZMcVA0Kku01uOuOBAOReN7KJQBt

The malicious file runs all kinds of shell commands on the local device, some multiple times, to monitor the state of the system. For example, he drives away free –m to check the available RAM, uptime, journalctl –s @0 –u sshd to track SSH logins, and other commands to display CPU load statistics. These statistics are available to other nodes on the network and are used to make various decisions, for example, whether to run the cryptominer on the device or not. If a decision is made, the malicious code launches a separate process, libexec, for mining Monero. This miner is based on the popular XMRig miner and communicates with a public pool web.xmrpool.eu through port 5555.

Vicious torrent-like network

FritzFrog relies on the ability to share files across the entire network, both to infect new devices and to launch malicious elements such as the Monero cryptominer.

To exchange files between nodes, FritzFrog uses a stealthy fileless approach: files are divided into arrays of binary data stored in memory, and the malicious code monitors the available arrays by storing them in a map along with the hash value of each array.

When node A wants to receive a file from its peer, node B, it can send a request to node B getblobstats to find out what arrays it owns. Host A can then retrieve a specific array through its hash, just like using the P2P command getbinand using HTTP at the address http://1234/… Once node A has received all the arrays, it builds the file through the Assemble module and runs it.


Command Result getblolbstats… Each node on the network reports how it has an array according to the list of files it maintains.

Assignment

Tracking P2P botnet operations is difficult. Due to the distributed nature of the network, commands in it can be transmitted from any node to any node. However, we tried to compare this P2P botnet with previous similar threats.

Even when compared to other P2P botnets, FritzFrog remains unique: it doesn’t use IRC like it does IRCflu, unlike DDG, it runs directly in memory and runs on Unix devices as opposed to the InterPlanetary Storm botnet. If he looks like anyone, especially in terms of naming functions and numbering versions, it is RakosA P2P botnet on Golang analyzed by ESET back in 2016.

Activity Tracking & Mitigation

Guardcore Labs provided FritzFrog tracking script to run on SSH servers. It looks for the following botnet indicators:

  • Running processes nginx, ifconfig or libexec, whose executable file no longer exists on the system (as you can see below).
  • Listening on port 1234.

In addition to this, TCP traffic on port 5555 can indicate network traffic to the Monero pool.

ubuntu@ip-111-11-11-11:~$ ./detect_fritzfrog.sh
FritzFrog Detection Script by Guardicore Labs
=============================================
 
[*] Fileless process nginx is running on the server.
[*] Listening on port 1234
[*] There is evidence of FritzFrog's malicious activity on this machine.

FritzFrog exploits the port and protocol forcing feature of most firewall systems. You can eliminate such threats by using process-based segmentation rules.

Weak passwords prove to be a key vulnerability for FritzFrog attacks. We recommend using strong passwords and public authorization keys, which are much safer. Also, it is critical to exclude the public key FritzFrog from the file authorization_keys to prevent attackers from gaining access to the device. Routers and IoT devices usually expose their SSH and therefore become vulnerable to FritzFrog attacks; we recommend changing the SSH port for such devices or, if the functionality is not used, completely disable SSH.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *