Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FritzFrog P2P Botnet is back and targets Healthcare, Education and Government Sectors

FritzFrog P2P botnet is back and is targeting servers belonging to entities in the healthcare, education, and government sectors. FritzFrog is a sophisticated botnet that was involved in attacks against SSH servers worldwide since January 2020. The bot is written in Golang and implements wormable capabilities, experts reported attacks against entities in the government, education, and finance sectors. […]

fritzfrog P2P botnet

FritzFrog P2P botnet is back and is targeting servers belonging to entities in the healthcare, education, and government sectors.

FritzFrog is a sophisticated botnet that was involved in attacks against SSH servers worldwide since January 2020.

The bot is written in Golang and implements wormable capabilities, experts reported attacks against entities in the government, education, and finance sectors.

The FritzFrog is a modular, multi-threaded, and file-less botnet that outstands for the use of a proprietary and fileless P2P implementation that has been written from scratch.

In August 2020, Guardicore Labs researchers published a detailed analysis of the threat, at the time the malware infected over 500 servers in the U.S. and Europe belonging to universities and a railway company.

Now the peer-to-peer Golang botnet has resurfaced, Akamai experts reported that it targeted servers belonging to entities in the healthcare, education, and government sectors.

In just one month, the threat infected a total of 1,500 hosts.

“[FritzFrog P2P botnet]It has recently resurfaced and displayed 10x growth in its infection rate within a month, compromising servers in the healthcare, education, and government sectors.” reads the report published by Akamai. “1,500 distinct hosts have been infected since the reappearance of the botnet, most of which are in China.”

The new campaign was spotted in early December 2021, the attack chain starts with an SSH brute force, then the malware drops and executes a file on the server. This malicious code starts listening on port 1234 and scanning thousands of internet IP addresses over ports 22 and 2222.

Experts noticed that the FritzFrog botnet was using ifconfig or nginx as names of the malicious process, while the recent variant of the P2P botnet used a process named apache2.

In December the botnet registered a 10x growth in its infection rate peaking at 500 incidents per day in January 2022.

fritzfrog P2P botnet

The Akamai researchers developed a tool called Frogger that allow them to gather information on infected hosts, including their uptime, hashrate, peers, and hasrate, if a cryptominer is running.

Experts discovered infected machines in a European television channel network, a Russian manufacturer of healthcare equipment, and multiple universities in East Asia. Most of the infections were observed in China. 

The new FritzFrog variant uses SCP to copy itself to a remote compromised server.

“The new implementation uses public SCP library written in Golang in GitHub. We could not determine any meaningful advantage for one method over the other. It is, however, notable that the writers of the SCP library are located in China.” continues the report.

Researchers also noticed that one of the new wallet addresses employed for crypto mining was also used as part of the Mozi botnet operation which was carried out by crooks arrested in September in China.

“These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China, or an actor masquerading as Chinese.Lastly, monitoring attack data has demonstrated a high level of activity in and around China throughout the lifetime of the campaign. As of now, approximately 37% of infected nodes seem to be located in China.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, fritzfrog P2P botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]