New FritzFrog peer-to-peer multi-threaded and fileless botnet targets SSH servers


Researchers discover new malware called FritzFrog peer-to-peer botnet which targets secure shell servers by creating a backdoor

Security researchers from Guardicore have discovered a new peer-to-peer botnet that specifically targets Secure Shell servers for infection. The Guardicore researchers found the unique P2P botnet infection in January 2020 and analyzed it.

The FritzFrog P2P botnet is written in Google’s Go aka Golang open-source programming language  Guardicore found that FritzFrog malware was doubly dangerous as it is multi-threaded and fileless. The botnet doesn’t leave any trace on the disks of the machines it infects.

FirtzFrog enters the Secure Shell servers by creating a backdoor in the form of an SSH public key. This not only implants the malware but also provides the malware authors with ongoing access to victim machines.

Guardicore researchers found that FritzFrog targets government organizations, education, and finance industries. Guardicore estimates that FritzFrog has infected nearly 500 servers including a railway company and universities in the United States and Europe.

Graph showing the number of FritzFrog attacks on Guardicore Global Sensors Network

 FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies.


The botnet is considered to be sophisticated because its peer-to-peer (P2P) implementation was written from scratch and is completely proprietary. Guardicore researchers believe the botnet was created by “highly professional software developers.” The researchers found that FritzFrog botnet uses a rather loose and decentralized infrastructure to distribute control among all its nodes.

In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange.


Guardicore researchers tried to intercept FritzFrog’s P2P communication with its command and control server but they failed to pin it down. For this purpose, they developed an App in the same Golang programming language as FritzFrog.”While we are unable to attribute the FritzFrog botnet to a specific group, we have found some resemblance to a previously-seen P2P botnet named Rakos,” wrote researchers.

Guardicore researchers recommend using strong passwords as they found that the weak passwords were the immediate enabler of FritzFrog’s attacks. They also recommend using public-key authentication. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments