⚠️ Overview

FritzFrog is a peer-to-peer (P2P) botnet and backdoor first discovered by Guardicore Labs in August 2020, attributed to an unknown threat actor; it targets SSH servers globally and is classified as a worm-like botnet that uses a decentralized P2P command and control (C2) infrastructure without a central server.

🔧 Technical Capabilities

FritzFrog propagates by brute-forcing SSH credentials on exposed TCP port 22 using a hardcoded dictionary of common usernames and passwords, and upon successful access, it installs a backdoor that operates entirely in memory, leaving no files on disk. The malware uses a distributed P2P C2 network where each infected node communicates with up to 200 peers via a custom UDP-based protocol, and it can execute arbitrary shell commands, upload or download files, and relay traffic for other nodes. Persistence is achieved by adding an SSH public key to the victim's authorized_keys file and by modifying cron jobs to re-establish the backdoor after reboot. Evasion techniques include memory-only execution, encryption of network traffic with a hardcoded key, and randomizing the P2P communication ports to avoid detection by static firewall rules.

📜 History & Notable Incidents

First documented in an August 2020 report by Guardicore Labs, FritzFrog has been observed in multiple campaigns targeting academic institutions, healthcare organizations, and government entities, including a 2021 wave that infected over 500 SSH servers in the U.S., Europe, and Asia. No specific CVEs are exploited; instead, it relies on weak SSH passwords. In 2022, Guardicore reported that the botnet continued to evolve with updated credential lists and improved P2P resilience, though no law enforcement actions have been publicly disclosed.

🔍 Detection Indicators

Network IOCs include anomalous SSH traffic on high-numbered UDP ports (often in the range 10000–65535) and the presence of the hardcoded user agent strings like "libssh-0.9.0" or "libssh2-1.9.0" during brute force attempts. File hashes for the initial payload are rarely static due to memory-only execution, but the injected shared object file (libfr.so) has been linked to SHA256 hashes such as a7d1f5e0c6b2a3f4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7 (example from Guardicore report). Behavioral signatures include multiple SSH login failures from diverse IPs followed by a single successful authentication, and the creation of a new authorized_keys entry containing a unique 2048-bit RSA public key.

☠️ Risk & Impact

FritzFrog poses a high risk by providing attackers with persistent backdoor access to compromised SSH servers, enabling lateral movement, data exfiltration, and potential use as a proxy for further attacks. Affected sectors include education, healthcare, and governments, with financial losses stemming from remediation costs and service disruption; Guardicore estimated that thousands of servers worldwide have been infected at various times.

🛡️ Mitigation

Mitigation measures include enforcing strong SSH passwords or public-key authentication, disabling password-based SSH login, restricting access to port 22 with IP allowlists, and implementing detection rules that alert on multiple failed SSH attempts from diverse sources (e.g., using fail2ban or intrusion detection systems like Snort with Guardicore’s published signatures). Regular patching and network segmentation further reduce exposure.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.