Frog P2P Botnet Targets Healthcare, Education and Government

 Short News:- 

As of August 2020, Guardicore had documented FritzFrog's ability to attack and infect more than 500 servers in Europe, the U.S., and Canada. One month later, the Golang botnet resurfaced, compromising servers belonging to healthcare, education, and government organizations. The FritzFrog malware uses a proprietary peer-to-peer (P2P) protocol. It has an infrastructure for tracking WordPress servers for follow-on attacks and a blocklist mechanism to avoid infecting low-end systems such as Raspberry Pi. The blocklist includes one Russian IP address, which could point to an actor masquerading as a Chinese person.


Frog P2P Botnet Targets Healthcare, Education and Government


Detailed News:- 

peer-to-peer (P2P) service One month later, the Golang botnet resurfaced, compromising servers belonging to healthcare, education, and government organizations. It infected more than 1,500 hosts.


"The decentralized botnet targets any device that exposes an SSH server—cloud instances, data center servers, routers, etc.—and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with Cybernari.


Early in December 2021, the new wave of attacks began, only to increase its infection rate by 10x in a month and peak at 500 incidents per day in January 2022. Many East Asian universities and a European television channel network have been infected with malware, according to a cybersecurity company.


As of August 2020, Guardicore had documented FritzFrog's ability to attack and infect more than 500 servers in Europe, the United States, Canada, and Australia. There is a large concentration of new infections in China, however.


On the network, "Fritzfrog relies on sharing files to infect new machines and run malicious payloads," security researcher Ophir Harpaz observed in 2020.


There are no single command-and-control (C2) servers in this distributed network, so the botnet's P2P architecture makes it more resilient than one centralized host. In addition, the botnet's reappearance has been accompanied by new features, including the use of a proxy network and the targeting of WordPress servers.


After a malware payload has been dropped via SSH and executed by the C2 server, additional malware binaries and system information and files are collected before being sent back to the C2 server for further processing.


A unique feature of FritzFrog is the use of a proprietary peer-to-peer (P2P) protocol. Earlier versions of the malware used the aliases "ifconfig" and "nginx," but the most recent versions go by "apache2" and "php-fpm."


Security copy protocol (SCP) and a Tor proxy chaining are two other new features of the malware. It also has an infrastructure for tracking WordPress servers for follow-on attacks and a blocklist mechanism to avoid infecting low-end systems such as Raspberry Pi.


"The blocklist includes one Russian IP address. It has numerous open ports and a long list of unpatched vulnerabilities, so it could be a honeypot "said the researchers. "Another entryway points to an open-source sinkhole for botnets. ' An attempt to avoid detection and analysis is suggested by these two entries.."


An additional clue may have come from the inclusion of an SCP feature. At this point, Akamai has pointed out that the Go-coded library can be found in Shanghai, China.


Additionally, the new wallet address used for crypto mining was also used as part of the Mozi botnet campaign, whose operators were arrested in China last September, further tying the malware to Chinese interests.


A possible link to an actor operating in China or an actor masquerading as a Chinese person has been suggested by the researchers based on these points of evidence.

0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post