A new peer-to-peer (P2P) botnet that has been breaching SSH servers since January 2020 is using the Monero cryptominer, a data center and cloud security company Guardicore has learned.
Subscribe to our Telegram channel to stay up to date on the latest crypto and blockchain news.
The so-called FritzFrog botnet has a decentralized infrastructure, as it distributes control among all its nodes, which makes the malware network resilient and up-to-date.
Ophir Harpaz, a security researcher at Guardicore Labs, says the unique feature of FritzFrog is that it is a fileless botnet, as it assembles and executes payloads in-memory.
"It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network. Finally, FritzFrog’s P2P protocol is proprietary and is not based on any existing implementation," Harpaz wrote in an official company's statement.
The malware is written in Golang and leaves no traces on the disk. The botnet has already attempted to brute force to tens of millions of IP addresses of governmental offices, educational institutions, banks and numerous telecom companies, Harpaz says.
The malware also runs various shell commands to monitor the system state. FritzFrog can check for available RAM, SSH logins, and various other commands which output the CPU usage statistics.
"These statistics are available for other nodes in the network to consume, and are used to determine, for example, whether to run a cryptominer or not," Harpaz added.
Currently, the malware runs a separate process – named libexec – to initiate mining of the Monero (XMR) cryptocurrency. The miner is based on the XMRig miner and connects to the public pool web.xmrpool.eu over port 5555.
Monero remains one of the favorite private and untraceable cryptocurrencies that hackers prefer to use today.
iHodl earlier reported that a hacker group Blue Mockingbird managed to break into thousands of corporate servers to install a hidden XMR miner.
Red Canary's cybersecurity experts said that hackers had exploited the CVE-2019-18935 vulnerability to install a web shell on the attacked servers. Then, they used a version of the Juicy Potato technique to gain administrator-level access, access the systems and install the XMRRig program to mine XMR.
If you are looking for a crypto trading platform to trade your assets, visit Gozo.pro, a safe and reliable exchange.