Security firm Guardicore disclosed the discovery of a dangerous botnet. Named by Guardicore researchers as FritzFrog, the botnet uses a malware technique known as “fileless”; this means that it does not install anything on the victim’s machine and leaves no trace on the hard drive, making it very difficult for traditional antivirus software to detect.
Similarly, the botnet also has a peer to peer (P2P) structure, eliminating the use of a command and control center. In other words, there is no master machine that sends instructions to infected PCs, making the task of finding the owner of FritzFrog almost impossible.
According to Ophir Harpaz, a researcher at Guardicore, this botnet specialized in infecting SSH servers was found in January this year. Fritzfrog has already managed to infect around 500 machines around the world, including renowned universities in the United States and Europe, as well as a railway company.
Features of FritzFrog
Professionals of the company summarize FritzFrog as:
▸It is based on Golang: FritzFrog runs a modular, Golang-developed Trojan-type malware that splits its activity into multiple threads and, this is very important, does not use files, allowing it to operate without leaving a trace on the infected system’s hard drive.
▸Goals of this Botnet: It appears to be actively targeting government, education, finance, and more. FritzFrog uses brute force to try to spread to tens of millions of IP addresses of government offices, educational institutions, medical centers, banks, and numerous telecommunications companies. With these attacks, it has managed to infect, that have been identified, at least 500 servers, among which are those of some prestigious universities in Europe and the United States, as well as a railway company.
▸It is a very complex Botnet: FritzFrog is fully proprietary; Its P2P implementation was written from scratch, which indicates that the actors responsible for the botnet are highly professional software developers or, at a minimum, that they have staff of this type, both in the initial phase of the same, and in its more than constant evolution.
Although it is not yet clear how the infection occurs, everything indicates that it is carried out by brute force on servers whose passwords are too weak and do not have a cryptographic certificate.
