top of page

The FritzFrog botnet targets SSH servers, data center servers, and routers.

For more than two years, the FritzFrog botnet has been actively targeting various computers. Researchers has recently discovered a new version with a unique feature that uses the Tor proxy chain.

This botnet has been targeting the following industries, as well as an unprotected SSH server:

  • Education systems

  • Governmental systems

  • Systems of health care

This virus was built in Golang, and it was discovered in August 2020. Not only that, but this malware is regarded one of the most complex and sophisticated threats.

Ø FritzFrog is the next-generation botnet.

FritzFrog is regarded as a next-generation botnet, and it has been noted for the mix of qualities that distinguish it, which is why we have included the properties below:

  • Constantly updated: All target and breached machine databases are shared in real - time basis.

  • Aggressive: Brute force is based on a large dictionary; so, DDG, a P2P botnet, has been detected, and it only utilises the login "root."

  • Efficient: All targets are distributed evenly among nodes.

  • The P2P protocol is completely proprietary, and it does not rely on any known P2P protocols like TP.

Ø New skills in the second wave

Apart from that, global sensor networks have recorded almost 24000 attacks, and the botnet's operators have claimed to have put out a total of 1500 attacks.

The majority of the attacks occurred in China, but it also attacked the European tv network, Russian healthcare, and a lot of other East Asian colleges.

The threat actors in this case employed filtering lists to avoid low-powered devices such as Raspberry Pi boards.

Ø Capabilities

This new version has a unique feature, and it's written in Golang, making it sophisticated malware. While this virus is packaged with UPX, it has four processes in total:

  • ifconfig

  • nginx

  • apache2

  • php-fpm

The infection is often run in a single process at a time. FritzFrog is one of the most sophisticated and advanced botnets since it is updated on a regular basis, and it is sometimes updated multiple times each day.


Administrators of data centre servers, routers, and cloud instances must be alert, as the FritzFrog hunts after every device that reveals an SSH server.

Ø listed the main signs of FritzFrog executing on a system:

  • nginx, ifconfig, php-fpm, apache2, or libexec are running processes whose executable file no longer exists on the file system.

  • On port 1234, listening.

  • TCP traffic over port 5555 denotes Monero pool network traffic.

Additionally, the cybersecurity experts have made several recommendations, which we have listed below:

  • Allow system login auditing with a warning every time.

  • On Linux, keep a watch on the authorized host’s file.

  • Always configure an explicit SSH login allow list.

  • Always allow root SSH access.

  • Allow cloud-based DNS protection, even if risks and non-essential business programmes like currency mining are blocked.

6 views0 comments
bottom of page