Experts from Guardicore discovered the FritzFrog botnet, which uses sophisticated peer-to-peer (P2P) methods to communicate between nodes. The network thus does not have a central point and the individual parts communicate completely independently. The botnet actively searches for and attacks SSH servers and installs its own public key for future logins. At the same time, Monero cryptocurrency is benefiting on the infected servers.
The malware is written in the Go language and, according to the available information, it has already tried tens of millions of different servers, at least 500 of which have been successfully attacked. Experts have already discovered 20 different versions of this botnet. The process is disguised as ifconfig, libexec whose nginx and it only lives in memory, so you won’t find it on disk.
If your server is infected, you can find it in the file authorized_keys the following public key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJYZIsncBTFc+iCRHXkeGfFA67j+kUVf7h/IL+sh0RXJn7yDN0vEXz7ig73hC//2/71sND+x+Wu0zytQhZxrCPzimSyC8FJCRtcqDATSjvWsIoI4j/AJyKk5k3fCzjPex3moc48TEYiSbAgXYVQ62uNhx7ylug50nTcUH1BNKDiknXjnZfueiqAO1vcgNLH4qfqIj7WWXu8YgFJ9qwYmwbMm+S7jYYgCtD107bpSR7/WoXSr1/SJLGX6Hg1sTet2USiNevGbfqNzciNxOp08hHQIYp2W9sMuo02pXj9nEoiximR4gSKrNoVesqNZMcVA0Kku01uOuOBAOReN7KJQBt
The botnet is spread by guessing passwords, so the defense is to use strong passwords, or better yet, log in with public key.
–
–
