A New Generation of Peer-to-Peer Botnets Targeting SSH Servers Worldwide

0

FritzFrog is a highly sophisticated peer-to-peer (P2P) botnet that has been actively breaching SSH servers worldwide. With its decentralized infrastructure, it distributes control among all its nodes. In this network with no single-point-of-failure, peers constantly communicate with each other to keep the network alive, resilient, and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange.

Unlike other P2P botnets, FritzFrog combines a set of properties that makes it unique: it is fileless, as it assembles and executes payloads in-memory. It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network. Finally, FritzFrog’s P2P protocol is proprietary and is not based on any existing implementation.

This malware is written in Golang, is completely volatile, and leaves no traces on the disk. It creates a backdoor in the form of an SSH public key, enabling the attacker’s ongoing access to victim machines. Since the beginning of the campaign, we identified 20 different versions of the malware executable.

In this report, we will describe how the FritzFrog campaign was discovered, the nature of its P2P network, and the malware’s inner workings – including the infection process, command encryption, and volatile behavior.

Guardicore Labs provides a Github repository containing a detection script as well as a list of Indicators of Compromise (IOCs) for this campaign.

Geographic distribution of infected nodes. The most infected countries are the US, China and South Korea.Guardicore Labs first noticed this campaign as part of its ongoing Botnet Encyclopedia research. On January 9, new attack incidents appeared where malicious processes named ifconfig and nginx were executed. We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary.

Graph showing the number of FritzFrog attacks on Guardicore Global Sensors Network

What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to. It was shortly after the beginning of the research when we understood no such CNC existed in the first place.

To intercept the FritzFrog network, Guardicore Labs has developed a client program in Golang, which performs the key-exchange process with the malware and is capable of sending commands and receiving their outputs. This program, which we named frogger, allowed us to investigate the nature and scope of the network. Using frogger, we were also able to join the network by “injecting” our own nodes and participating in the ongoing P2P traffic.

FritzFrog was found to brute-forces millions of IP addresses, among which are governmental offices, educational institutions, medical centers, banks, and numerous telecom companies. It has successfully breached over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company.

Why “New-Generation”?

FritzFrog has a special combination of properties, which makes it unique in the threat landscape:

  • Fileless – FritzFrog operates with no working directory, and file transfers are done in-memory using blobs.
  • Constantly updating – databases of targets and breached machines are exchanged seamlessly.
  • Aggressive – Brute-force is based on an extensive dictionary. By comparison, DDG, a recently discovered P2P botnet, used only the username “root”.
  • Efficient – Targets are evenly distributed among nodes.
  • Proprietary– The P2P protocol is completely proprietary, relying on no known P2P protocols such as ÎĽTP.

Once a victim is successfully breached, it starts running the UPX-packed malware, which immediately erases itself. The malware process runs under the names ifconfig and nginx, to minimize suspicion. As part of its startup process, the malware begins listening on port 1234, waiting for commands. The first commands which a new victim receives are responsible for syncing the victim with the database of network peers and brute-force targets.

Traffic on a non-standard port, such as 1234, can be easily detected and blocked by firewalls and other security products. Thus, FritzFrog’s author employed a creative technique to evade detection and stay under the radar. Instead of sending commands directly over port 1234, commands are sent to the victim in the following manner: The attacker connects to the victim over SSH and runs a netcat client on the victim’s machine, which in turn connects to the malware’s server. From this point on, any command sent over SSH will be used as netcat’s input, thus transmitted to the malware.

The Fritzfrog attackers implemented an encrypted command channel with over 30 different commands. Command parameters and responses are transferred in designated data structures and serialized (“marshalled”) to JSON format. Prior to sending, the data is encrypted using AES symmetric encryption and encoded in Base64. To agree upon the encryption key, the involved nodes use the Diffie-Hellman key exchange protocol.

Nodes in the FritzFrog network keep in close contact with each other. They constantly ping each other to verify connectivity, exchange peers and targets, and keep each other synced. The nodes participating in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to “crack” the same target machine.

Found this article interesting? Follow AllHackerNews on Facebook, Twitter, and LinkedIn to read more exclusive content we post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here