Researchers from Akamai Threat Labs have discovered cyber activity involving the sophisticated peer-to-peer (P2P) botnet FritzFrog has resurfaced.
In early December 2021, Akamai observed an uptick in attacks after the FritzFrog was originally discovered back in August 2020 and previous drop in attack incidents for nearly a year.
Security researchers from Guardicore (now part of Akamai) discovered the FritzFrog P2P malware actively breaching SSH servers since January 2020.
FritzFrog has been known to execute Golang-based worm malware that is multi-threaded and fileless. In other words, it assembles and executes payloads in-memory and leaves no trace on the infected victim’s system disk.
“FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies,” Guardicore warned at that time.
“Among those, it has successfully breached more than 500 servers, infecting well-known universities in the U.S. and Europe, and a railway company.”
FritzFrog v2
The Akamai team said the latest version of FritzFrog operates similarly to the previous version in that the attacks starts with an SSH brute force. After dropping and executing malicious files, those files then listen on port 1234 and scans thousands of internet IP addresses over ports 22 and 2222.
The latest version of FritzFrog v2, however, now uses a different malicious process in the attacks.
“One difference between the old FritzFrog attacks and new attacks is the name of the malicious process. In the first round of attacks, the malicious process was named ifconfig or nginx; this time the FritzFrog operators chose the name apache2,” Akamai wrote.
Moreover, Akamai developed a detection tool called Frogger to help map out and analyze impact to FritzFrog victims.
“During the time span of the second campaign, FritzFrog managed to infect more than 1,500 distinct hosts. These were server machines belonging to organizations of various sizes and sectors, including healthcare, higher education, and government,” Akamai added.
Finally, Akamai observed other new FritzFrog features include the capability to track future vulnerable WordPress servers. The P2P botnet also now uses SCP to copy itself to a remote compromised server.