FritzFrog and the evolution of Botnets

easyDNS is pleased to sponsor Jesse Hirsh‘s “Future Fibre / Future Tools” segments of his new email list, Metaviews

What if most software was actually malware?

Cybersecurity is a constantly evolving and dynamic world where attackers have significant incentives and rewards to find new ways of compromising and infiltrating systems. In contrast researchers are constantly playing catch up, trying to deduce and reverse engineer how a successful attack happened and why.

While this may seem like a futile and frustrating process (which for many it is), the work done by cybersecurity researchers is genuinely remarkable, and far from easy. Especially given that many of the opponents these researchers are investigating are either state-based or state-supported, given the significant overlap between contemporary hacking and espionage.

FritzFrog is the latest sensational malware, discovered by Ophir Harpaz, a security researcher with the firm Gaurdicore, and while there’s no immediate proof it is the work of a government backed hacker group, it is sophisticated enough to raise such suspicion.

Although FritzFrog is not the malware per se, but the botnet that the malware enables.

A botnet, or robot network, is a kind of illicit and distributed supercomputer, built using systems that have been compromised or effectively stolen, and then used for a wide range of malicious or benign purposes. A botnet could be regarded as a weapon, or a fog of war, or just a platform that can be leased out or sold to others.

Botnets have become one of the primary objectives of cyber attacks, a way of uniting conquered systems into a larger system that can keep growing.

As a weapon botnets are used to infect or attack other systems. As a fog of war they’re used to cover the tracks of an attacker or just hide activity overall. And as a platform for both of these functions or more, access to it can be sold off on a per use basis, or the entire botnet can be permanently sold to other parties.

It’s not clear what FritzFrog is being used for, but as far as botnets go, it does represent a new level of sophistication and resilience.

Perhaps one of the more interesting aspects of botnets are the ways in which they begin to mimic living organisms. Each compromised system could be considered a cell or molecule, and then these individual units combine to form a larger more complex creature.

Software entities like this almost embody the notion of “metaviews” as they exist and function at multiple levels of abstraction.

On the one hand there’s the actual compromised system, but more importantly is the botnet system itself, which exists on that higher abstract plane, in this case quite literally, due to the way the blobs interact and transcend any individual system.

Here’s the executive summary from the Guardicore report:

  • Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020.
  • Golang-Based Malware: FritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.
  • Actively Targeting Government, Education, Finance and more: FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies. Among those, it has successfully breached more than 500 servers, infecting well-known universities in the U.S. and Europe, and a railway company.
  • Sophistication: FritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers.
  • Interception: Guardicore Labs has developed a client program in Golang which is capable of intercepting FritzFrog’s P2P communication, as well as joining as a network peer.
  • Attribution: While we are unable to attribute the FritzFrog botnet to a specific group, we have found some resemblance to a previously-seen P2P botnet named Rakos.

It is fascinating that the security researchers had to create their own client to infiltrate and explore the broader botnet. Think of this as a kind of digital diplomacy, where a new entity or state is discovered, and in order to communicate with and explore it, a diplomatic mission had to be constructed and sent in.

Although this diplomacy is really just about establishing contact. There are all sorts of questions worth asking.

It really is like discovering a new world, or at least a new spaceship exploring our near infinite digital world, and we’re left wondering who owns the ship, and what is it used for.

In exploring the botnet Guardicore were able to find a wide range of functions and commands, that hint at what this facility could be used for, but nothing conclusive.

They do argue however, quite convincingly, that this represents a new generation of botnets, as this one combines properties in a way that makes it “unique in the threat landscape”.

  • Fileless – FritzFrog operates with no working directory, and file transfers are done in-memory using blobs.
  • Constantly updating – databases of targets and breached machines are exchanged seamlessly.
  • Aggressive – Brute-force is based on an extensive dictionary. By comparison, DDG, a recently discovered P2P botnet, used only the username “root”.
  • Efficient – Targets are evenly distributed among nodes.
  • Proprietary– The P2P protocol is completely proprietary, relying on no known P2P protocols such as μTP.

While this botnet was first spotted in January of this year, it has recently increased it’s attempts to further invade and infect systems.

The Gaurdicore analysis is fairly thorough, and while they raise questions regarding authorship and purpose, they rightly refrain from further speculation. Although less so the media coverage of their research.

FritzFrog’s primary goal is to mine for cryptocurrency. XMRig, a Monero miner, is deployed and connected to the public pool over port 5555.

If processes on the server are hogging CPU resources, the malware may kill them to give the miner as much power as possible.

FritzFrog will also exchange and share files by splitting content into binary data blobs, keeping them in memory, and storing this data with a map linking each blob’s hash value.

The P2P protocol used for communication by the botnet is “proprietary,” Guardicore notes, and is “not based on any existing implementation,” such as μTP.

This may suggest that “the attackers are highly professional software developers,” the team says. While there are no concrete clues for attribution, some similarities have been found between FritzFrog and Rakos, a botnet discovered in 2016.

Malware that mines for cryptocurrency is not unique, and in many cases is the default behaviour for a botnet. Why let computational resources sit idle when you can use them to make money? However this doesn’t mean that it is the primary goal, it may just be the default, so that funds are generated in between attacks, or other purposes of the botnet.

Attribution remains a deliberately difficult element of cybersecurity, in no small part because it can be a primary goal of any attack or tool. The first rule of hacking is not to get caught, and you can’t get caught if nobody knows who is responsible.

Given the innovative nature of FritzFrog we’ll probably hear more about it over the coming weeks and months. We’ll keep an eye on it and if there’s more to share, in particular around attribution, but also capability and evolution, we’ll let you know.

Leave a Reply

Your email address will not be published. Required fields are marked *