Researchers have discovered a sophisticated new peer-to-peer botnet that has been actively breaching Secure Shell servers since January.
FritzFrog, which executes a worm malware written in Golang, was unearthed by a team at Guardicore. The malware deployed by the botnet is multi-threaded and fileless and disconcertingly leaves no trace on the disks of the machines it infects.
It creates a backdoor in the form of an SSH public key, providing the attackers with ongoing access to victim machines.
Organizations in the government, education, and finance industries have all been targeted by the botnet, which has managed to successfully breach over 500 servers. Victims include a railway company and universities in the United States and Europe.
Researchers wrote: "FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies."
The botnet is considered to be sophisticated because its peer-to-peer (P2P) implementation was written from scratch and is completely proprietary. Researchers believe that this shows the botnet was created by "highly professional software developers."
FritzFrog uses a decentralized infrastructure to distribute control among all its nodes.
Describing how the botnet functions, researchers wrote: "In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange."
Guardicore Labs has developed a client program in Golang capable of intercepting FritzFrog’s P2P communication. However, researchers have not been able to pin down the origins of the malicious botnet.
"While we are unable to attribute the FritzFrog botnet to a specific group, we have found some resemblance to a previously-seen P2P botnet named Rakos," wrote researchers.
Guardicore Labs first noticed this malicious campaign in January as part of its ongoing Botnet Encyclopedia research. Researchers have identified 20 different versions of the malware executable.
Offering advice on how to avoid becoming a FritzFrog victim, researchers wrote: "Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication."