Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

FritzFrog
active

First seen in Guardicore Centra

2020-01-09

Last seen in Guardicore Centra

2020-07-12

Currently under research. This botnet has been attacking Guardicore Global Sensors Network since January 2020. Breaching SSH servers using brute force, the attacker deploys a sophisticated malware written in Golang. The malware initiates numerous connections to external IP addresses on ports 22 and 2222. Access to infected machines is obtained using two techniques: adding the attacker’s public SSH key to the authorized_keys file, and listening on port 1234 for incoming connections. This opportunistic campaign works hard to eliminate competitors by killing CPU-demanding processes on the Linux system.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Attack Flow

Breached Services

SSH

SCP

Tags

Port 22 Scan

SSH

25 Shell Commands

Successful SSH Login

Listening

Port 2222 Scan

Download and Execute

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A user logged in using SSH with the following credentials: root / **** – Authentication policy: Correct Password 16 times

Successful SSH Login

The file /root/ifconfig was downloaded and executed 6 times

Download and Execute

Process /root/ifconfig scanned port 22 on 35 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /root/ifconfig scanned port 22 on 28 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /root/ifconfig scanned port 2222 on 35 IP Addresses

Port 22 Scan

Port 2222 Scan

Process /root/ifconfig started listening on ports: 1234

Listening

The file /root/nginx was downloaded and executed 44 times

Download and Execute

Process /root/ifconfig generated outgoing network traffic to: 116.62.171.32:22, 116.62.171.32:2222, 117.19.136.165:22, 117.49.85.80:2222, 118.44.249.79:22, 118.44.249.79:2222, 121.82.34.31:22, 138.189.131.14:22, 140.238.51.139:22, 147.76.13.2:22, 155.231.113.86:22, 155.231.113.86:2222, 165.169.161.84:22, 165.169.161.84:2222, 166.130.218.174:22, 171.16.45.205:22, 171.16.45.205:2222, 172.104.124.241:22, 172.104.124.241:2222, 18.73.213.117:22, 182.220.222.41:2222, 187.192.192.184:22, 192.123.152.126:2222, 193.237.118.179:22, 193.237.118.179:2222, 195.136.174.222:22, 201.112.215.24:2222, 201.170.224.213:22, 201.170.224.213:2222, 214.116.226.179:22, 214.116.226.179:2222, 216.126.146.133:2222, 217.143.124.12:2222, 219.112.253.52:22, 219.112.253.52:2222, 244.113.86.156:22, 244.113.86.156:2222, 246.94.233.147:22, 247.22.145.201:22, 247.22.145.201:2222, 25.236.101.207:22, 250.126.207.182:22, 251.156.88.18:2222, 251.190.199.45:2222, 252.78.149.252:2222, 41.193.83.155:22, 41.193.83.155:2222, 46.242.100.158:22, 46.242.100.158:2222, 54.175.164.221:22, 57.40.84.119:2222, 63.20.48.174:22, 63.20.48.174:2222, 67.239.127.168:22, 69.102.147.142:22, 69.102.147.142:2222, 79.239.83.11:22, 84.50.117.232:22, 84.50.117.232:2222, 88.27.62.37:22, 94.114.79.85:22 and 94.114.79.85:2222

Process /root/ifconfig scanned port 2222 on 28 IP Addresses

Port 22 Scan

Port 2222 Scan

Connection was closed due to timeout