The FritzFrog botnet is back to cause damage to organisations

February 24, 2022
FritzFrog Botnet Malware Cybersecurity Solutions

The FritzFrog botnet is back at it again, and this time, it aims to conduct a massive cyberattack with an alarming infection rate.

The researchers noted that the hiatus of the FritzFrog botnet is just a preparation stage to execute their campaign against sectors from healthcare, education, and government.

Detected in August 2020, recent reports revealed that the new malware targets exposed SSH servers and utilised the Tor proxy method. The new variant of FritzFrog seems to have added abilities to target WordPress servers and utilises a deep dictionary to brute-force attacks to reveal SSH information.

Unfortunately, the botnet is updating its lost targets and infected devices. Its node distribution system ensures the threat actors put an equal number of targets to each node for balancing purposes.

Researchers discovered about 24,000 attacks courtesy of the FritzFrog botnet, and there had been approximately 1,500 confirmed victims. The most notable victims are from China, a European TV network, several educational institutions in Asia, and a Russian healthcare organisation.

 

Experts said that the FritzFrog botnet had undergone a chain of upgrades, where flaws are being fixed by its operators several times per day.

 

Based on reports, the botnet now utilises a propriety P2P protocol for its communication method. This P2P protocol enables the threat actors to be more elusive than its previous version.

In addition, the threat actors have abused a filtering list not to prioritise low-powered devices such as Raspberry Pi boards. They also added monetisation methods such as distributing ransomware or data leaks. Nonetheless, these functions of FritzFrog are currently inactive.

The copying mechanics that FritzFrog used to compromise systems are now based on SCP, which replaced the cat command in their previous version.

The FritzFrog botnet expands its attack landscape with upgraded functionalities. Experts recommend that users configure an explicit list of SSH logins to stay protected against such attacks.

The definitive list will also enable a system login auditing with alerts to disable root SSH access and activate a cloud-based DNS protection.

About the author

Leave a Reply