Guardicore, a company specializing in the protection of data centers and cloud systems, new high-tech malware FritzFrog that infects Linux-based servers. FritzFrog combines a worm that spreads through a bruteforce attack on servers with an open SSH port, and components to build a decentralized botnet that operates without control nodes and does not have a single point of failure.
A proprietary P2P protocol is used to build a botnet, in which nodes interact with each other, coordinate the organization of attacks, maintain the network and control each other's state. New victims are found by conducting a bruteforce attack on servers that accept requests via SSH. When a new server is found, it searches through the dictionary of typical combinations of logins and passwords. Management can be done through any node, which makes it difficult to identify and block botnet operators.
According to researchers, the botnet already has about 500 nodes, including servers from several universities and a large railway company. It is noted that the main target of the attack are networks of educational institutions, medical centers, government agencies, banks and telecommunications companies. After the server is compromised, the process of mining the Monero cryptocurrency is organized on it. The malware in question has been active since January 2020.
A feature of FritzFrog is that it keeps all data and executable code only in memory. The changes on the disk come down to just adding a new SSH key to the authorized_keys file, which is then used to access the server. System files are not modified, which makes the worm invisible to checksum integrity checking systems. The memory also holds dictionaries for brute-force passwords and data for mining, which are synchronized between nodes using the P2P protocol.
Malicious components camouflage themselves as ifconfig, libexec, php-fpm, and nginx processes. The botnet nodes monitor the state of their neighbors and, if the server is rebooted or even the OS is reinstalled (if a modified authorized_keys file was transferred to the new system), they reactivate malicious components on the host. Regular SSH is used for communication - the malware additionally launches a local “netcat” that binds to the localhost interface and listens for traffic on port 1234, to which external hosts access via an SSH tunnel using the key from authorized_keys to connect.
The FritzFrog component code is written in Go and runs in multi-threaded mode. The malware includes several modules that run in different threads:
- Cracker - performs password guessing on attacked servers.
- CryptoComm + Parser - organizes an encrypted P2P connection.
- CastVotes is a mechanism for joint selection of target hosts for an attack.
- TargetFeed - Gets a list of nodes to attack from neighboring nodes.
- DeployMgmt is a worm implementation that spreads malicious code to a compromised server.
- Owned - responsible for connecting to servers that are already running malicious code.
- Assemble - assembles a file in memory from separately transmitted blocks.
- Antivir is a competitive malware suppression module that detects and terminates processes with the "xmr" line that are consuming CPU resources.
- Libexec is a module for mining Monero cryptocurrency.
The P2P protocol used in FritzFrog supports about 30 commands responsible for transferring data between nodes, running scripts, transferring malware components, polling status, exchanging logs, starting a proxy, etc. Information is transmitted over a separate encrypted channel with serialization in JSON format. Encryption uses AES asymmetric cipher and Base64 encoding. DH protocol is used for key exchange (). To determine the state, the nodes constantly exchange ping requests.
All botnet nodes maintain a distributed database with information about attacked and compromised systems. Targets for attack are synchronized throughout the botnet - each node attacks a separate target, i.e. two different botnet hosts will not attack the same host. The nodes also collect and share local statistics with their neighbors, such as free memory, uptime, CPU usage, and SSH login activity. This information is used to decide whether to start the mining process or use the node only to attack other systems (for example, mining does not start on busy systems or systems with frequent administrator connections).
To identify FritzFrog, researchers proposed a simple . To determine the damage to the system
indicators such as the presence of a listening connection on port 1234, the presence in authorized_keys (the same SSH key is installed on all nodes) and the presence in memory of running “ifconfig”, “libexec”, “php-fpm” and “nginx” processes that do not have associated executable files (“/proc/ /exe" points to a remote file). A sign can also be the presence of traffic on network port 5555, which occurs when malware accesses the typical pool web.xmrpool.eu in the process of mining the Monero cryptocurrency.
Source: opennet.ru