FritzFrog is a decentralized botnet that uses P2P protocols to manage its nodes.
After the SSH server is hacked, fileless malware is loaded onto the system and executed only in memory, turning the device into a bot capable of receiving and executing commands. The FritzFrog malware is unpacked on the system under the names ifconfig and nginx and is launched as a command-pending startup process listening on port 1234. These commands are easy enough to detect, so the attackers connect to the victim via SSH and launch the Netcat client.
All commands are transmitted in encrypted form. The first connects the device to an existing botnet, while the rest are used to install the backdoor, monitor the network, PC and CPU resources.
According to experts, FritzFrog uses a proprietary P2P protocol, which may indicate the high professionalism of its developers. Guardicore Labs was unable to find concrete evidence of any group’s involvement in the botnet, but they did find some similarities between FritzFrog and the botnet.
ORIGINAL PAGE –