A peer-to-peer Golang botnet has resurfaced after greater than a yr to compromise servers belonging to entities within the healthcare, schooling, and authorities sectors inside a span of a month, infecting a complete of 1,500 hosts.
Dubbed FritzFrog, “the decentralized botnet targets any machine that exposes an SSH server — cloud situations, information middle servers, routers, and so forth. — and is able to operating any malicious payload on contaminated nodes,” Akamai researchers mentioned in a report shared with The Hacker Information.
The brand new wave of assaults commenced in early December 2021, solely to select up tempo and register a 10x progress in its an infection price in a month’s time, whereas peaking at 500 incidents per day in January 2022. The cybersecurity agency mentioned it detected contaminated machines in a European tv channel community, a Russian producer of healthcare tools, and a number of universities in East Asia.
FritzFrog was first documented by Guardicore in August 2020, elaborating the botnet’s proficiency to strike and infect greater than 500 servers spanning throughout Europe and the U.S. since January that yr. A big focus of the brand new infections, then again, are positioned in China.
“Fritzfrog depends on the power to share recordsdata over the community, each to contaminate new machines and run malicious payloads, such because the Monero crypto miner,” safety researcher Ophir Harpaz noticed in 2020.
The botnet’s peer-to-peer (P2P) structure makes it resilient in that each compromised machine within the distributed community can act as a command-and-control (C2) server versus a single, centralized host. What’s extra, the reappearance of the botnet has been accompanied by new additions to its performance, together with the utilization of a proxy community and the focusing on of WordPress servers.
The an infection chain propagates over SSH to drop a malware payload that then executes directions acquired from the C2 server to run extra malware binaries in addition to collect system info and recordsdata, earlier than exfiltrating them again to the server.
FritzFrog is notable for the truth that the P2P protocol used is totally proprietary. Whereas earlier variations of the malware course of masqueraded as “ifconfig” and “nginx,” the latest variants try to hide their actions below the names “apache2” and “php-fpm.”
Different new traits included into the malware embody the usage of safe copy protocol (SCP) to repeat itself to the distant server, a Tor proxy chaining to masks outgoing SSH connections, an infrastructure to trace WordPress servers for follow-on assaults, and a blocklist mechanism to keep away from infecting low-end techniques equivalent to Raspberry Pi units.
“One IP within the blocklist is from Russia. It has a number of open ports and a protracted listing of unpatched vulnerabilities, so it might be a honeypot,” the researchers mentioned. “Moreover, a second entry factors to an open-source botnet sinkhole. These two entries counsel that the operators try to evade detection and evaluation.”
The inclusion of the SCP function may have given the primary clue as to the malware’s origins. Akamai identified that the library, written in Go, has been shared on GitHub by a person positioned within the Chinese language metropolis of Shanghai.
A second piece of data linking the malware to China stems from the truth that one of many new pockets addresses employed for crypto mining was additionally used as a part of the Mozi botnet campaign, whose operators had been arrested in China final September.
“These factors of proof, whereas not damning, lead us to consider a attainable hyperlink exists to an actor working in China, or an actor masquerading as Chinese language,” the researchers concluded.