FritzFrog is the name of an incredibly sophisticated botnet attacking SSH servers to deploy a Monero-mining malware. The characteristics of the campaign and the deployed malware, as detailed in a report by the security researchers at Guardicore, make it wholly unique and quite effective.
The FritzFrog worm, written in Golang, and the underlying code and fileless peer-to-peer (P2P) implementation were created from scratch, showing that the hackers behind it have tremendous experience as software developers.
FritzFrog Leaves No Trace
The deployed malware payload is fileless as it operates in the infected machine's memory entirely. Once inside, the FritzFrog worm initiates several threads, each having a specific purpose. The thread called 'Cracker' is engaged in brute-forcing access to new victims while 'DeployMgmt' spreads the malware to the systems that have been breached already. The 'Owned' thread is responsible for including the compromised device into the FritzFrom botnet. To free up resources for its own nefarious needs, FritzFrog sets up a thread called 'Antivir,' which is tasked with removing any hardware-intensive processes that have an 'xmr' (Monero) string.
The actual Monero mining is left to a separate thread named 'libexec.' According to Guardicore the miner employed by FritzFrog is based on the XMRig miner and uses port 5555 to connect to the public pool web.xrmpool.eu. To achieve persistence, the malware threat adds its public SSH key to the 'authorized_keys' file. The same SSH key is used by the entire botnet:
AAAAB3NzaC1yc2EAAAADAQABAAABAQDJYZIsncBTFc+iCRHXkeGfFA67j+kUVf7h/IL+sh0RXJn 7yDN0vEXz7ig73hC//2/71sND+x+Wu0zytQhZxrCPzimSyC8FJCRtcqDATSjvWsIoI4j/AJyKk5 k3fCzjPex3moc48TEYiSbAgXYVQ62uNhx7ylug50nTcUH1BNKDiknXjnZfueiqAO1vcgNLH4qfq Ij7WWXu8YgFJ9qwYmwbMm+S7jYYgCtD107bpSR7/WoXSr1/SJLGX6Hg1sTet2USiNevGbfqNzci NxOp08hHQIYp2W9sMuo02pXj9nEoiximR4gSKrNoVesqNZMcVA0Kku01uOuOBAOReN7KJQBt'
If it needs to send files between infected nodes, FritzFrog again employs a fileless technique. The file that needs to be transferred is split into data blobs (chunks of binary data). To keep track of the blobs, the malware stores them in a map that includes the hash value of each blob. To receive the required blobs, one node makes a request to http://[IP of a node containing the blob]:1234/[blob hash]. A separate 'Assembler' thread then takes all the blobs and puts them back together to create a file.
FritzFrog Operates without a C2 Structure
Another defining characteristic of FritzFrog is that the entire operation is controlled without the need for a centralized Command-and-Control (C2) infrastructure. To initiate the attack, FritzFrog first attempts to connect to the targeted server over ports 22 and 2222. It then adds its public SSH key to the authorized_keys file on the compromised system. For communication with the rest of the network, FritzFrog launches a netcat client on port 1234.
Nodes in the network are in near-constant communication with one other to verify connectivity, stay synced, and exchange peers and targets. To ensure an even workload during the brute-forcing process, the hackers behind FritzFrog created a unique vote-casting system for the botnet's participating nodes.
The researchers estimate that the FritzFrog campaign may have been able to brute-force access to millions of SSH IP addresses successfully. Over 500 servers, belonging to several universities and a railroad company, have already been infiltrated by this sophisticated crypto miner.