A Canadian organization, high-education institutions in the U.S. and Europe, and a railway company are among the victims of a new and sophisticated peer-to-peer botnet that has been actively brute-forcing SSH servers since January, says a new report.
Guardicore Labs dubs the botnet “FritzFrog,” and says it executes a worm malware which is written in Golang. One of its distinguishing features is its file-less state, assembling and executing payloads in-memory. As a result, it leaving no trace on the infected machine’s disk. It doesn’t have a command and control server.
“FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies,” the report says. So far, Guardicore estimates, it has successfully breached more than 500 servers, installing a Monero crypto miner and adding them to the botnet.
“With its decentralized infrastructure, it distributes control among all its nodes,” the report says. “In this network with no single-point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange.”
Infosec pros should know that Guardicore Labs has set up a Github repository containing a detection script as well as a list of Indicators of Compromise (IOCs) for this campaign.
Guardicore Labs first noticed this campaign Jan. 9 when new attack incidents popped up executing malicious processes. There was a peak in attacks in May, a small drop and then a leap late in July. Using a client program in Golang researchers discovered a lot by joining the network.
They found that once a victim is successfully breached, it starts running the UPX-packed malware, which immediately erases itself. The malware process runs under the names ifconfig and nginx, to minimize suspicion. As part of its startup process, the malware begins listening on port 1234, waiting for commands. The first commands which a new victim receives are responsible for syncing the victim with the database of network peers and brute-force targets. Researchers also found Fritzfrog regularly updates its databases of targets and breached machines. Brute-force is based on an extensive dictionary, not just on the username “root.”
To share and exchange files between nodes files are split into blobs – bulks of binary data – which are kept in memory.
Traffic on a non-standard port, such as 1234, can be easily detected and blocked by firewalls and other security products, notes the report. To evade detection commands are sent to the victim over SSH and runs a netcat client on the victim’s machine, which in turn connects to the malware’s server. From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware.
The malware attempts to survive system reboots. However, a backdoor is left to enable future access to the breached victim, whose login credentials are saved by the network peers.
“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol,” says Guardicore. “To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.” It also adds that weak passwords are the immediate enabler of FritzFrog’s attacks.
In addition, the report says, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing an infected machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog. Admins should consider changing their SSH port or completely disabling SSH access to them if the service is not in use.
