Fileless worm builds cryptomining, backdoor-planting P2P botnet

A fileless worm dubbed FritzFrog has been found roping Linux-based devices – corporate servers, routers and IoT devices – with SSH servers into a P2P botnet whose apparent goal is to mine cryptocurrency.

Simultaneously, though, the malware creates a backdoor on the infected machines, allowing attackers to access it at a later date even if the SSH password has been changed in the meantime.

“When looking at the amount of code dedicated to the miner, compared with the P2P and the worm (‘cracker’) modules – we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero,” Guardicore Labs lead researcher Ophir Harpaz told Help Net Security.

“This access and control over SSH servers can be worth much more money than spreading a cryptominer. Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes.”

The worm’s targets

FritzFrog is a modular, multi-threaded and fileless SSH internet worm that attempts to grow a P2P botnet by breaking into public IP addresses, ignoring known ranges saved for private addresses.

The botnet has nodes around the globe:

Fileless worm P2P botnet

“While intercepting the FritzFrog P2P network, we’ve seen target lists which consist of sequential IP addresses, resulting in a very systematic scan of IP ranges in the internet,” Harpaz explained.

Since January 2020, it targeted IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies, and successfully breached more than 500 SSH servers.

An advanced piece of malware

Written in Golang, the malware seems to be the work of highly professional software developers:

  • It’s fileless – it assembles and executes payloads in-memory, operates with no working directory, and also uses the fileless approach when sharing and exchanging files between nodes
  • Its brute-force attempts are aggressive, based on an extensive dictionary
  • It’s efficient – no two nodes in the network attempt to “crack” the same target machine
  • Its P2P protocol is proprietary and was written from scratch (i.e., not based on an existing implementation)
  • It creates a backdoor in the form of an SSH-RSA public key added to the authorized_keys file. With the secret private key, the attackers can access the compromise machine whenever they want, without needing to know the SSH password

Other things that allow the malware to fly under the radar:

  • It’s process runs under the names ifconfig, nginx or libexec (the latter is used when Monero-mining)
  • It tunnels its P2P commands over the standard SSH port by running a local netcat client on the infected machines. Any command sent over SSH is used as netcat’s input and transmitted to the malware

“Even with this creative way of sending commands, the process remains completely automated and under the malware’s control. Even after creating this P2P channel to the newly-infected host, the malware is the one which keeps feeding the victim with commands,” Harpaz noted.

“However, it is very likely that manual, human-operated commands are sent to network peers. Guardicore Labs has developed a tool which intercepts the network and is capable of sending and receiving commands on demand. The actor behind this campaign can do the exact same thing, and it is highly probable that the operator has the means for sending commands manually to certain (or all) nodes in the network.”

Check whether your machines are part of the botnet

Detecting a cryptominer on a machine running an SSH server is not proof that it’s been infected, as the malware checks whether the machine can expend power to mine and decides against it if it can’t.

Admins can use a detection script that searches for the aforementioned fileless processes, evidence of malware listening on port 1234 and of TCP traffic over port 5555 (network traffic to the Monero pool).

While a reboot of the affected machine/device will remove the malware from memory and terminate the malware process, since a victim is immediately ‘logged’ to the P2P network along with its login credentials, it will be re-infected in no time.

Instead, admins should:

  • Terminate the malicious processes
  • Change the SSH password to a strong one and use public key authentication
  • Remove FritzFrog’s public key from the authorized_keys file to “close” the backdoor
  • Consider changing routers’ and IoT devices’ SSH port or completely disabling SSH access to them if the service is not needed

Bad habits and risky behaviors put corporate data at risk

IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.

risky behaviors

Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.

Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.

While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.

Cloud access solutions slowing down work

The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).

These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.

85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.

“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.

“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”

Orgs using public internet networks

In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.

Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.

risky behaviors

Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.

Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.

“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”