CIRT.GY | Peer-to-Peer Botnet FitzFrog is Back (11th Februa

Peer-to-Peer Botnet FitzFrog is Back (11th February 2022)

Ref# T2022_01 | Date: Feb 11th 2022

What is FitzFrog?

FritzFrog is a sophisticated modular, multi-threaded and file-less P2P (peer-to-peer) botnet that has been actively infiltrating SSH servers all around the world. It spreads control across all of its nodes thanks to its decentralized infrastructure. Peers regularly communicate with each other to maintain the network active, resilient, and up to date in this network with no single point of failure. P2P communication takes place via an encrypted channel, using symmetric encryption using AES and key exchange using the Diffie-Hellman protocol.

FritzFrog, unlike other P2P botnets, has a set of characteristics that distinguish it: it is fileless, as it assembles and executes payloads in memory. It is more aggressive in its brute-force attacks, yet it is still efficient because targets are distributed uniformly over the network. Finally, FritzFrog”s peer-to-peer protocol is unique and not based on any existing implementation.

The malware is written in Golang and is fully volatile, leaving no traces on the hard drive. It installs a backdoor in the form of an SSH public key, giving the attackers continuous access to the victims” computers.

How FitzFrog works

The FritzFrog malware begins by executing the UPX-packed malware, which then deletes itself. To avoid detection, the malware operates under the name apache2.

FritzFrog listens for orders on port 1234. The first instructions given to a new target are for integrating the target with the database of network peers and brute-force targets. Following this, the new victim joins the P2P network and begins donating its CPU power to the propagation of new SSH servers. It also has the ability to receive and execute commands from other network peers, To avoid detection on port 1234, the attacker connects to the victim using SSH and runs a Secure Copy Protocol (SCP) client on the victim”s workstation.

A list of IP addresses and hash values used by the threat actors behind FitzFrog can be found at the following URL:

https://sequretek.com/wp-content/uploads/2018/10/Sequretek-Advisory-FritzFrog.pdf

Prevention and Remediation

Some preventive measures you can take to protect yourself from FitzFrog are:

Always keep systems updated and patched.
Block the IP addresses in the corresponding security devices.
Create an explicit list of SSH logins that are allowed.
Use strong SSH password and public key authentication.
Disable root SSH access.
Enable system login auditing with alert.
Monitor the authorized_hosts file on Linux systems.
If possible, change routers and IoT devices SSH port.
Disable SSH access if the service is not needed.

A detection tool can be found at the following URL:

https://github.com/guardicore/labs_campaigns/blob/master/FritzFrog/detect_fritzfrog.sh

If infected by FitzFrog users and administrators are asked to delete the public key belonging to FitzFrog from the authorized_keys file to remove the backdoor.

The Guyana National CIRT recommends that users and administrators review these recommendations and implement them where necessary.

PDF Download: Peer to Peer Botnet FitzFrog is Back.pdf

References

Barnea, Ben., Guez, Shiran., Harpaz, Ophir. (10th February 2022). FritzFrog: P2P Botnet Hops Back on the Scene, Retrieved from Akamai. https://www.akamai.com/blog/security/fritzfrog-p2p
Osborne, Charlie. (10th February 2022). FritzFrog botnet returns to attack healthcare, education, government sectors. Retrieved from ZDNet.
https://www.zdnet.com/article/fritzfrog-botnet-strikes-healthcare-education-government-sectors/