A new form of peer-to-peer (P2P) malware has been discovered that sets a new bar for nastiness. Called FritzFrog, it has been found in various networks since the beginning of the year. Why is it so noteworthy? Several reasons: it is fileless, operates completely decentralized, was written from scratch, frequently updated and enhanced and hasn’t yet been claimed by any known threat actor. Let’s examine each of these points.
Fileless malware uses code that already exists on the average Windows endpoint, such as PowerShell, Windows Management Interface and Visual Basic. (There are Linux fileless cases, which is what FritzFrog runs on.) I have a more complete explanation for a blog post that I wrote for Security Intelligence here. It is nasty because nothing sticks to the endpoint that uniquely identifies any malware, and it can persist after a reboot under special circumstances. To hide itself, it uses executable names of common programs like ifconfig and nginx, which at first glance seem benign but are names of legit pieces of Linux software tools.
FritzFrog’s code is also cleverly crafted. Many malware samples make use of existing open source or well-known past attack patterns. This frog is more of a prince and unique. What is more troubling is that the researchers have cataloged 20 different versions since they found the first samples back in January. These new versions contain data about newly identified targets and which endpoints have active running copies of the malware.
It also was hard to figure out its command structure, mainly because it didn’t have any centralized servers. We all probably remember how WannaCry was brought down by a simple hack to its command server by Marcus Hutchins. FritzFrog was completely decentralized and worked by using a P2P network to control its operation and distribute workloads. Think about that last item for a moment: The code has an interesting load balancing technique to distribute the attacks across the P2P nodes, so that no two nodes ever try to attack the same target endpoint. That shows some careful attention to the details. Added to this was the ability of the malware to use encrypted communications via SSH to further avoid detection.
What is even more troubling is that the P2P protocol it uses isn’t some quick knock-off, but instead is proprietary and newly minted just for its own nefarious purpose. This P2P network is used to share files to infect new endpoints as well as run malicious payloads, such as the Monero cryptomining software.
The Guardicore Labs researchers have shared their own detection script that they used to ferret out the frogs. The script looks for oddly behaved processes that don’t have any existing executable files running over port 1234. That port has legitimate uses, such as for streaming VLC video files and a few online games. But it has seen a variety of malware traffic over the years as well.
What can you learn from the frog attacks?
A few things: first, if your security solution is just looking for ports and protocols, you need to up your game and find a better product that can scan for processes and more sophisticated attacks. Second, if you are still not using MFA to strengthen your password collection, particularly among your development team, now is the time to get on board.
Because the frog is using SSH to communicate, you should examine all your gear – including routers and other IoT devices – and turn off SSH access if you aren’t using it or change it to a non-standard port if you are. Finally, you should ensure that the encryption keys used by FritzFrog aren’t part of your authorized key collections, because that would indicate that it has already penetrated your network.