A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name FritzFrog | |
First seen in Guardicore Centra | 2020-01-09 |
Last seen in Guardicore Centra | 2020-08-18 |
FritzFrog is a unique, sophisticated P2P botnet, active since January 2020. Breaching SSH servers using brute force, the attackers deploy a complex worm malware written in Golang. A backdoor in the form of a public SSH key is added to the victim’s authorized_keys file. The malware immediately starts listening on port 1234, where it will receive commands from its network-peers. The FritzFrog malware works hard to eliminate competitors by killing CPU-demanding processes on the Linux system where it runs. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Connect-Back Servers
- 57.100.69.129
- 3.127.255.82
- 166.168.111.151
- 113.108.88.92
- 122.51.34.215
- 166.255.227.179
- 107.187.122.10
- 78.5.170.222
- 122.51.48.52
- 71.62.129.30
- 176.99.12.209
- 45.143.136.213
- 60.253.116.46
- 47.91.87.67
- 45.32.128.117
- myvzw.com
- amazonaws.com
- ip-51-75-31.eu
- verizon.net
- nuk.edu.tw
- orange-business.com
- comcastbusiness.net
- comcast.net
- oleane.fr
- contaboserver.net
- regruhosting.ru
- utm.my
- fluidata.co.uk
- example.com
- ip-198-100-146.net
Attack Flow
Breached Services | SSH SCP |
Tags | Port 2222 Scan SSH Listening Port 22 Scan Successful SSH Login Download and Allow Execution Download and Execute 29 Shell Commands |
Incident Summary
A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List | Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** – Authentication policy: Correct Password 11 times | Successful SSH Login |
Process /dev/shm/nginx scanned port 22 on 44 IP Addresses | Port 22 Scan |
Process /tmp/ifconfig scanned port 22 on 44 IP Addresses | Port 22 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 2222 on 44 IP Addresses | Port 22 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 22 on 41 IP Addresses | Port 22 Scan Port 2222 Scan |
Process /dev/shm/nginx started listening on ports: 1234 | Listening |
The file /tmp/ifconfig was downloaded and executed 5 times | Download and Execute |
The file /tmp/nginx was downloaded and executed 130 times | Download and Execute |
Process /tmp/ifconfig started listening on ports: 1234 | Listening |
Process /tmp/ifconfig generated outgoing network traffic to: 100.75.4.68:22, 100.75.4.68:2222, 109.219.153.97:22, 109.219.153.97:2222, 109.76.129.237:22, 116.101.111.77:2222, 116.249.100.137:22, 116.249.100.137:2222, 121.27.229.100:22, 121.27.229.100:2222, 123.234.90.157:22, 123.234.90.157:2222, 126.251.94.82:2222, 13.23.100.230:22, 13.23.100.230:2222, 136.83.64.63:22, 136.83.64.63:2222, 144.125.159.153:2222, 145.186.12.214:2222, 148.187.116.219:22, 148.35.19.56:22, 148.35.19.56:2222, 159.108.147.215:22, 159.108.147.215:2222, 161.121.38.212:22, 161.121.38.212:2222, 167.63.93.190:22, 167.63.93.190:2222, 170.146.4.54:22, 170.146.4.54:2222, 171.126.124.202:2222, 176.78.211.172:22, 176.78.211.172:2222, 177.239.35.240:22, 177.239.35.240:2222, 181.135.96.130:22, 183.222.1.196:22, 183.222.1.196:2222, 186.223.65.211:22, 186.223.65.211:2222, 187.64.216.162:22, 187.64.216.162:2222, 188.188.50.54:22, 188.188.50.54:2222, 189.40.132.69:22, 189.40.132.69:2222, 195.33.184.198:22, 199.247.139.246:2222, 209.52.162.26:22, 209.52.162.26:2222, 212.49.115.85:22, 212.49.115.85:2222, 214.43.178.148:22, 220.200.168.221:22, 221.196.166.189:2222, 221.227.186.129:22, 221.227.186.129:2222, 24.222.235.127:22, 245.185.97.217:22, 253.46.56.84:22, 253.46.56.84:2222, 38.137.170.140:22, 41.243.65.119:22, 41.243.65.119:2222, 49.199.17.81:22, 49.199.17.81:2222, 54.71.26.106:22, 57.115.147.116:22, 57.115.147.116:2222, 65.248.193.131:22, 65.248.193.131:2222, 65.25.108.29:22, 65.25.108.29:2222, 67.143.139.227:22, 83.223.246.193:2222, 84.113.236.239:22, 84.113.236.239:2222, 90.111.18.215:2222, 90.187.162.82:2222, 94.31.1.200:22, 94.31.1.200:2222, 96.225.95.57:22, 99.195.221.189:22 and 99.195.221.189:2222 | |
Process /tmp/ifconfig scanned port 2222 on 41 IP Addresses | Port 22 Scan Port 2222 Scan |
The file /root/ifconfig was downloaded and executed 5 times | Download and Execute |
The file /root/nginx was downloaded and granted execution privileges | |
The file /usr/bin/uptime was downloaded and executed 2 times | Download and Execute |
The file /tmp/ifconfig was downloaded and executed 6 times | Download and Execute |
Process /tmp/nginx started listening on ports: 1234 | Listening |
Connection was closed due to timeout |