Skip to main content

FritzFrog Botnet

FritzFrog is a crypto mining botnet with a number of sophisticated features to aid propagation and hinder detection. Since January 2020, it has infected over 500 individual organisations worldwide.

Threat ID:
CC-3602
Category:
Botnet, Worm
Threat Severity:
Low
Threat Vector:
Insecure network
Published:
19 August 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

FritzFrog is a crypto mining botnet with a number of sophisticated features to aid propagation and hinder detection. Since January 2020, it has infected over 500 individual organisations worldwide.

Affected platforms

The following platforms are known to be affected:

Versions: most popular distributions

Linux

Threat details

Introduction

First observed in January 2020, FritzFrog is an advanced peer-to-peer (P2P) botnet and worm targeting education, financial, government, healthcare, and telecommunications organisations globally.

Written in Go, it displays a number of sophisticated features, including fileless execution and a bespoke P2P protocol, that suggest it may be developed by an unknown advanced persistent threat group.

Propagation & activities

FritzFrog propagates to new systems using brute-force attacks on exposed SSH services. Interestingly, these attacks appear to be distributed across the botnet, with each FritzFrog instance making attempts in sequence to prevent detection.

If successful, it will inject a copy of itself directly into memory using the names ifconfig and nginx. The new copy then connects to the FritzFrog botnet over TCP 1234 to download the XMRig mining application before deploying it over TCP 5555. While the miner is running, FritzFrog will monitor system resources and terminate any processes that are over-utilising CPU resources.

P2P protocol

The P2P protocol used by the FritzFrog botnet appears to be entirely proprietary and allows each individual instance to act as both a bot and a controller if necessary. This decentralisation allows FritzFrog to be highly resilient.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

SHA256 hashes

  • 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
  • 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
  • 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
  • 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
  • 2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
  • 23e390e6531623c1e9e09b1eaf807d501d1a01e45184b7d3ffc4eeed955b0c6d
  • 30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
  • 3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
  • 39ab194dc7a7ba65615a30d99ed8845ee00ad19f2ac1236fbd71a671f7fa4c5a
  • 453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
  • 5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
  • 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
  • 7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
  • 7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
  • 8c094313b1d4236ae3f630d93e8037b0a9d38df716d5d7aed5b871dea0dc1445
  • 90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
  • 9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
  • 985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
  • d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485
  • d9e8d9187fdd5a6682cc3b55076fe48bc8743487eb4731f669a7d591d3015ce5

Last edited: 19 August 2020 3:26 pm