Sophisticated P2P Botnet Targeting SSH Servers

  /     /     /  
Publicated : 23/11/2024   Category : security


Sophisticated P2P Botnet Targeting SSH Servers


FritzFrog is fileless, uses its own proprietary P2P implementation, and has breached at least 500 servers so far, Guardicore says.



Researchers at Guardicore Labs have discovered a sophisticated peer-to-peer (P2P) botnet actively targeting SSH servers worldwide since at least January 2020.
The botnet, dubbed FritzFrog, has been observed attempting to brute-force and spread to tens of millions of IP addresses including those belonging to government offices, banks, telecom companies, medical centers, and educational institutions. So far, FritzFrog has breached at least 500 SSH servers at multiple well-known universities in the US and Europe and one railway company, according to Guardicore.
Like other P2P botnets, FritzFrog does not have a centralized command-and-control infrastructure. Instead, control is distributed among all nodes on the network, with each node having the ability to target systems and to communicate with and update each other, over an encrypted channel. Security experts consider such botnets a lot harder to take down than centralized botnets because they dont have one single point of failure or point of control.
Multiple features though make FritzFrog different from — and more dangerous than — other botnets. The malware, which is written in the GO programming language, operates completely in memory. The malware leaves no traces on disk because it assembles and executes payloads and shares files all in-memory.
Each node on the FritzFrog botnet stores a constantly updated database of targets, breached machines, and peers. Guardicores analysis shows that no two nodes on the botnet attempt to attack the same target machine. Instead they use a sort of vote-casting process to distribute targets evenly across the network, the security vendor says. Once on a system, the malware drops a backdoor that allows attackers to potentially regain access to a compromised machine even if the malware is removed.
Significantly, FritzFrogs P2P implementation also appears to have been developed from scratch and relies on no known protocols, suggesting its developers are highly sophisticated, Guardicore said in a
report
Wednesday.
FritzFrog is not the first fileless bot; but it might be the first fileless P2P botnet, says Ophir Harpaz, security researcher at Guardicore. The malwares completely in-memory file-transfer system is a torrent-like approach that weve rarely - and perhaps never - seen previously used in malware.
Harpaz says that the FritzFrog samples that Guardicore analyzed show the malware to be currently executing a Monero cryptominer. However, it is highly unlikely that the miner is a top priority for the attackers, she says. What seems much more probable is that the attackers are interested in obtaining access to and gaining control over breached SSH servers so they can sell access to these servers in underground markets. 
P2P Botnet-For-Hire
Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service, Harpaz says. Since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet, and be used for distributing malware or other malicious activity.
According to Guardicore, each node on the FritzFrog botnet is capable of launching brute-force password guessing attacks to try and break into SSH servers. The dictionary of credentials that Guardicore uses to brute-force its way into systems is more extensive than that normally used by P2P botnets.
Disrupting the FritzFrog botnet can be challenging since each node on the network effectively functions like a command-and-control server, Harpaz says. In the regular client-server botnets, taking down the single command and control server will remove the stinger from the bee. This is not the case with P2P networks, she says.
Guardicore has released a detection script that organizations can use to check for the presence of the malware on SSH servers.
P2P botnets like FritzFrog continue to be relatively rare. However they are a growing threat. One of the more notable examples of a P2P botnet is DDG, a cryptomining botnet that researchers from
NetLab
first reported in Jan 2018. The botnet started off as a typical, centrally controlled network of infected machines. But it has kept constantly evolving and now has a P2P communications capability though it also uses a static C2 server.
Mozi
, an IoT botnet that researchers at CenturyLink discovered earlier this year is another example. The malware combines code from three older IoT malware variants — Mirai, Gafgyt, and IoT Reaper — and grew to about 2,200 nodes at its peak.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Sophisticated P2P Botnet Targeting SSH Servers