In line with a recent official study published by Guardicore Labs, a malware botnet referred to as FritzFrog has been deployed to around 10 Mln IP addresses. The malware has largely targeted governmental offices, educational institutions, medical centers, banks, and telecommunication companies, installing a Monero [XMR] mining malware application referred to as XMRig.
Guardicore Labs explains that FritzFrog uses a brute-force attack on several addresses to gain access to servers. That’s where an attacker submits several passwords or passphrases with the hope of eventually guessing correctly.
After it gets in it proceeds to run a separate process named “libexec” to execute XMRig.
“It has successfully breached over 500 SSH servers, including those of known high-education institutions within the United States & Europe, and a railway company.”
The cybersecurity firm revealed that FritzFrog appears to be a one-of-its-kind malware, and had been a “complicated task” to trace it as the connections were hidden within a P2P encrypted network.
A researcher at Guardicore Labs named Ophir Harpaz, added:
“Unlike other P2P botnets, FritzFrog combines a group of properties that makes it unique: it’s fileless, because it assembles and executes payloads in-memory. It’s more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network.”
Harpaz recommends choosing strong passwords and using public-key authentication, “which is far safer,” to avoid being attacked successfully by a cryptojacking malware like FritzFrog.
Just recently, cybersecurity researchers at Cado Security detected what they believe to be the first-ever stealth cryptocurrency mining campaign to steal AWS credentials, named TeamTNT, and also deploys the XMR mining application.