New FritzFrog P2P Botnet Targets Multiple Sectors to Mine Monero

Summary

Guardicore researchers discovered a new sophisticated peer-to-peer (P2P) botnet dubbed FritzFrog. The malware attempts to brute force and propagate via SSH servers, and is actively targeting education, government, finance, telecommunications, and healthcare sectors with a primary goal of deploying XMRig to mine for the Monero cryptocurrency. FritzFrog successfully breached more than 500 SSH servers since January 2020. The malware first attempts to connect to a target server over SSH ports 22 or 2222 and then immediately erases itself after successful installation. The malicious processes are run as ifconfig and nginx to evade detection and launch a netcat client on port 1234 to listen for additional commands. A separate malware process named libexec runs to begin cryptocurrency mining over port 5555. Additionally, FritzFrog enables a backdoor by adding a single public SSH-RSA key to the authorized keyfile, granting the threat actor access regardless of whether passwords are changed. Researchers have identified 20 different versions of the malware.

Recommendations

The NJCCIC recommends administrators use strong, unique passwords and consider using a public key authentication method. Additionally, consider enabling process-based segmentation rules as well as changing SSH ports, or disabling access to those ports not in use. Guardicore provides a FritzFrog detection script to detect indicators of compromise. Further technical information and IOCs can be found in the Guardicore article.