A peer-to-peer Golang botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts.
Dubbed FritzFrog, "the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with The Hacker News.
The new wave of attacks commenced in early December 2021, only to pick up pace and register a 10x growth in its infection rate in a month's time, while peaking at 500 incidents per day in January 2022. The cybersecurity firm said it detected infected machines in a European television channel network, a Russian manufacturer of healthcare equipment, and multiple universities in East Asia.
FritzFrog was first documented by Guardicore in August 2020, elaborating the botnet's proficiency to strike and infect more than 500 servers spanning across Europe and the U.S. since January that year. A large concentration of the new infections, on the other hand, are located in China.
"Fritzfrog relies on the ability to share files over the network, both to infect new machines and run malicious payloads, such as the Monero crypto miner," security researcher Ophir Harpaz observed in 2020.
The botnet's peer-to-peer (P2P) architecture makes it resilient in that every compromised machine in the distributed network can act as a command-and-control (C2) server as opposed to a single, centralized host. What's more, the reappearance of the botnet has been accompanied by new additions to its functionality, including the usage of a proxy network and the targeting of WordPress servers.
The infection chain propagates over SSH to drop a malware payload that then executes instructions received from the C2 server to run additional malware binaries as well as gather system information and files, before exfiltrating them back to the server.
FritzFrog is notable for the fact that the P2P protocol used is completely proprietary. While earlier versions of the malware process masqueraded as "ifconfig" and "nginx," the recent variants attempt to conceal their activities under the names "apache2" and "php-fpm."
Other new traits incorporated into the malware include the use of secure copy protocol (SCP) to copy itself to the remote server, a Tor proxy chaining to mask outgoing SSH connections, an infrastructure to track WordPress servers for follow-on attacks, and a blocklist mechanism to avoid infecting low-end systems such as Raspberry Pi devices.
"One IP in the blocklist is from Russia. It has multiple open ports and a long list of unpatched vulnerabilities, so it may be a honeypot," the researchers said. "Additionally, a second entry points to an open-source botnet sinkhole. These two entries suggest that the operators are attempting to evade detection and analysis."
The inclusion of the SCP feature may also have given the first clue as to the malware's origins. Akamai pointed out that the library, written in Go, has been shared on GitHub by a user located in the Chinese city of Shanghai.
A second piece of information linking the malware to China stems from the fact that one of the new wallet addresses employed for crypto mining was also used as part of the Mozi botnet campaign, whose operators were arrested in China last September.
"These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China, or an actor masquerading as Chinese," the researchers concluded.