Cybersecurity firm Guardicore Labs has recently published findings on FritzFrog, a cryptojacking malware botnet that has been deployed to tens of millions of IP addresses. According to the findings, FritzFrog has mostly targeted medical centers, banks, telecommunication companies, government offices, and educational institutions.
So far, the success of the botnet’s attacks has been prolific: Guardicore’s report found that so far, FritzFrog has compromised “over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company.”
The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation
The botnet uses a type of brute-force attack on millions of different servers in order to break in. Once it gains access, FritzFrog runs a separate process named “libexec” to execute XMRig, the malware that co-opts computing power to mine Monero.
”Highly professional” malware
While cryptojacking malware is certainly nothing new, Guardcore says that FritzFrog appears to be unique. For one thing, the botnet’s connections were hidden within a peer-to-peer (P2P) network, which made it difficult to track.
“Unlike other P2P botnets, FritzFrog combines a set of properties that makes it unique: it is fileless, as it assembles and executes payloads in-memory,” the report said. “It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network.”
Additionally, Guarcore found that FritzFrog’s “p2p implementation was written from scratch”, which seems to indicate that the malware was created by “highly professional software developers.”
FritzFrog’s protocol is written in a language called Golang, which “is completely volatile and leaves no traces on the disk.” It also creates SSH public key that acts as a “backdoor” that enables ongoing access to compromised machines.
Cryptojacking malware has targeted large institutions before
Earlier this year, Finance Magnates reported that another form of cryptojacking malware was targeting “supercomputers” that belong to institutions similar to the ones that FritzFrog seems to be targeting.
At that time, the crypto malware caused a number of of these “supercomputers” to go offline. The timing of the shutdowns is particularly bad because of the fact that many of the organizations running the computers were prioritizing research on COVID-19. This research may have been hampered as a result of the malware and the subsequent shutdowns.