Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

FritzFrog
active

First seen in Guardicore Centra

2020-01-09

Last seen in Guardicore Centra

2020-08-18

FritzFrog is a unique, sophisticated P2P botnet, active since January 2020. Breaching SSH servers using brute force, the attackers deploy a complex worm malware written in Golang. A backdoor in the form of a public SSH key is added to the victim’s authorized_keys file. The malware immediately starts listening on port 1234, where it will receive commands from its network-peers. The FritzFrog malware works hard to eliminate competitors by killing CPU-demanding processes on the Linux system where it runs.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Attack Flow

Breached Services

SSH

SCP

Tags

Port 2222 Scan

SSH

Listening

Port 22 Scan

Successful SSH Login

Download and Allow Execution

Download and Execute

29 Shell Commands

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A user logged in using SSH with the following credentials: root / **** – Authentication policy: Correct Password 11 times

Successful SSH Login

Process /dev/shm/nginx scanned port 22 on 44 IP Addresses

Port 22 Scan

Process /tmp/ifconfig scanned port 22 on 44 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /tmp/ifconfig scanned port 2222 on 44 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /tmp/ifconfig scanned port 22 on 41 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /dev/shm/nginx started listening on ports: 1234

Listening

The file /tmp/ifconfig was downloaded and executed 5 times

Download and Execute

The file /tmp/nginx was downloaded and executed 130 times

Download and Execute

Process /tmp/ifconfig started listening on ports: 1234

Listening

Process /tmp/ifconfig generated outgoing network traffic to: 100.75.4.68:22, 100.75.4.68:2222, 109.219.153.97:22, 109.219.153.97:2222, 109.76.129.237:22, 116.101.111.77:2222, 116.249.100.137:22, 116.249.100.137:2222, 121.27.229.100:22, 121.27.229.100:2222, 123.234.90.157:22, 123.234.90.157:2222, 126.251.94.82:2222, 13.23.100.230:22, 13.23.100.230:2222, 136.83.64.63:22, 136.83.64.63:2222, 144.125.159.153:2222, 145.186.12.214:2222, 148.187.116.219:22, 148.35.19.56:22, 148.35.19.56:2222, 159.108.147.215:22, 159.108.147.215:2222, 161.121.38.212:22, 161.121.38.212:2222, 167.63.93.190:22, 167.63.93.190:2222, 170.146.4.54:22, 170.146.4.54:2222, 171.126.124.202:2222, 176.78.211.172:22, 176.78.211.172:2222, 177.239.35.240:22, 177.239.35.240:2222, 181.135.96.130:22, 183.222.1.196:22, 183.222.1.196:2222, 186.223.65.211:22, 186.223.65.211:2222, 187.64.216.162:22, 187.64.216.162:2222, 188.188.50.54:22, 188.188.50.54:2222, 189.40.132.69:22, 189.40.132.69:2222, 195.33.184.198:22, 199.247.139.246:2222, 209.52.162.26:22, 209.52.162.26:2222, 212.49.115.85:22, 212.49.115.85:2222, 214.43.178.148:22, 220.200.168.221:22, 221.196.166.189:2222, 221.227.186.129:22, 221.227.186.129:2222, 24.222.235.127:22, 245.185.97.217:22, 253.46.56.84:22, 253.46.56.84:2222, 38.137.170.140:22, 41.243.65.119:22, 41.243.65.119:2222, 49.199.17.81:22, 49.199.17.81:2222, 54.71.26.106:22, 57.115.147.116:22, 57.115.147.116:2222, 65.248.193.131:22, 65.248.193.131:2222, 65.25.108.29:22, 65.25.108.29:2222, 67.143.139.227:22, 83.223.246.193:2222, 84.113.236.239:22, 84.113.236.239:2222, 90.111.18.215:2222, 90.187.162.82:2222, 94.31.1.200:22, 94.31.1.200:2222, 96.225.95.57:22, 99.195.221.189:22 and 99.195.221.189:2222

Process /tmp/ifconfig scanned port 2222 on 41 IP Addresses

Port 22 Scan

Port 2222 Scan

The file /root/ifconfig was downloaded and executed 5 times

Download and Execute

The file /root/nginx was downloaded and granted execution privileges

The file /usr/bin/uptime was downloaded and executed 2 times

Download and Execute

The file /tmp/ifconfig was downloaded and executed 6 times

Download and Execute

Process /tmp/nginx started listening on ports: 1234

Listening

Connection was closed due to timeout