FritzFrog botnet is active again

The P2P botnet FritzFrog, which was discovered by researchers back in 2020 and then ceased operations, is active again, and its attacks have become much more intense.

Let me remind you that in 2020, the botnet was noticed by experts from Guardicore Labs (now a division of Akamai). Then it actively attacked SSH servers belonging to government, educational, financial, medical and telecommunications organizations and institutions around the world, and well-known universities in the US and Europe, as well as a railway company, suffered from these hacks.

In 2020, the main goal of FritzFrog was to mine the Monero cryptocurrency. For doing this, on the infected systems XMRig miner was deployed. It was also connected to the connected to the web.xmrpool.eu pool via port 5555 was deployd. אָבער, by the end of the year, the activity of the botnet completely ceased for unknown reasons.

As Akamai analysts now report, in December 2021, FritzFrog returned with improved code, and its attacks became much more intense. The botnet still bruteforces SSH to infect new systems and still uses a P2P architecture to control infected hosts. Among the changes found in the code, analysts note:

  1. adding support for Tor-proxy to mask brute-force attacks;
  2. using the SCP protocol to copy itself into compromised systems;
  3. The appearance of a blacklist that includes servers that cannot be infected (mostly low-cost systems with limited resources: Raspberry Pi devices or low-resource EC2 images on AWS);
  4. preparation of a botnet for attacks on WordPress sites.

As before, after being hacked, the attackers use the obtained access to mine the Monero cryptocurrency. Akamai reports that it is already recording about 500 incidents per day, and in total, the botnet has infected more than 1,500 systems.

Approximately 37% of infected machines are located in China, but companies and organizations around the world become victims of FritzFrog, which is why analysts believe that botnet attacks are random, דאס איז, hackers do not carefully select their future victims.

[The attacks are] targeting server machines belonging to organizations of various sizes and from various sectors, including healthcare, education, and government agencies. We have found infected machines in the network of European TV channels, at a Russian manufacturer of medical equipment and at several universities in East Asia.the company said.

Let me remind you that we also reported that MyKings botnet steals cryptocurrency via clipboard, and also that Pink botnet was infected over 1.5 מיליאָן דעוויסעס.

העלגאַ סמיט

איך בין שטענדיק אינטערעסירט אין קאָמפּיוטער וויסנשאַפֿט, ספּעציעל דאַטן זיכערהייט און די טעמע, וואס הייסט היינט-צו-טאג "דאַטן וויסנשאַפֿט", זינט מיין פרי טינז. איידער איר קומען אין די ווירוס באַזייַטיקונג מאַנשאַפֿט ווי רעדאַקטאָר-אין-ראשי, איך געארבעט ווי אַ סייבערסעקוריטי מומחה אין עטלעכע קאָמפּאַניעס, אַרייַנגערעכנט איינער פון אַמאַזאָן ס קאָנטראַקטאָרס. אן אנדער דערפאַרונג: איך האָבן געלערנט אין Arden און רידינג אוניווערסיטעטן.

לאָזן אַ ענטפער

דער פּלאַץ ניצט Akismet צו רעדוצירן ספּאַם. לערנען ווי דיין באַמערקונג דאַטן זענען פּראַסעסט.

צוריק צו שפּיץ קנעפּל