FritzFrog P2P Botnet is back and targets Healthcare, Education and Government Sectors

FritzFrog P2P botnet is back and is targeting servers belonging to entities in the healthcare, education, and government sectors.

FritzFrog is a sophisticated botnet that was involved in attacks against SSH servers worldwide since January 2020.

The bot is written in Golang and implements wormable capabilities, experts reported attacks against entities in the government, education, and finance sectors.

The FritzFrog is a modular, multi-threaded, and file-less botnet that outstands for the use of a proprietary and fileless P2P implementation that has been written from scratch.

In August 2020, Guardicore Labs researchers published a detailed analysis of the threat, at the time the malware infected over 500 servers in the U.S. and Europe belonging to universities and a railway company.

Now the peer-to-peer Golang botnet has resurfaced, Akamai experts reported that it targeted servers belonging to entities in the healthcare, education, and government sectors.

In just one month, the threat infected a total of 1,500 hosts.

“[FritzFrog P2P botnet]It has recently resurfaced and displayed 10x growth in its infection rate within a month, compromising servers in the healthcare, education, and government sectors.” reads the report published by Akamai. “1,500 distinct hosts have been infected since the reappearance of the botnet, most of which are in China.”

The new campaign was spotted in early December 2021, the attack chain starts with an SSH brute force, then the malware drops and executes a file on the server. This malicious code starts listening on port 1234 and scanning thousands of internet IP addresses over ports 22 and 2222.

Experts noticed that the FritzFrog botnet was using ifconfig or nginx as names of the malicious process, while the recent variant of the P2P botnet used a process named apache2.

In December the botnet registered a 10x growth in its infection rate peaking at 500 incidents per day in January 2022.

The Akamai researchers developed a tool called Frogger that allow them to gather information on infected hosts, including their uptime, hashrate, peers, and hasrate, if a cryptominer is running.

Experts discovered infected machines in a European television channel network, a Russian manufacturer of healthcare equipment, and multiple universities in East Asia. Most of the infections were observed in China. 

The new FritzFrog variant uses SCP to copy itself to a remote compromised server.

“The new implementation uses a public SCP library written in Golang in GitHub. We could not determine any meaningful advantage for one method over the other. It is, however, notable that the writers of the SCP library are located in China.” continues the report.

Researchers also noticed that one of the new wallet addresses employed for crypto mining was also used as part of the Mozi botnet operation which was carried out by crooks arrested in September in China.

“These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China, or an actor masquerading as Chinese.Lastly, monitoring attack data has demonstrated a high level of activity in and around China throughout the lifetime of the campaign. As of now, approximately 37% of infected nodes seem to be located in China.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, fritzfrog P2P botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]