Home Malware Programs Botnets FritzFrog


Posted: August 20, 2020

FritzFrog is a newly discovered botnet that also exhibits worm-like behavior. Cybersecurity experts believe that FritzFrog's activity was started in January 2020, and the malware has managed to spread across a large number of networks in various sectors, including government, education, and finance quickly. According to malware analysts, the FritzFrog is a very advanced project that employs a myriad of advanced techniques that allow it to operate in fileless mode, as well as to distribute tasks between enslaved computers equally. Another notable feature of the FritzFrog botnet is that it has the ability to operate with a Command and Control server – instead, the enslaved systems communicate and exchange data between themselves. As we already mentioned, the FritzFrog operates through the infected system's volatile memory, so it takes some steps to ensure that it will not deliver a complete corrupted file to the newly infected system – instead, it delivers a collection of Binary Large Object (BLOB) files that are loaded in the computer's memory consequentially.

The FritzFrog Botnet Relies on Brute-force Attacks to Infect More Devices

The attacks are executed by brute-forcing SSH services exposed to the Internet. It is likely that the attackers are able to penetrate SSH services that use weak or default login credentials. Every infected system is able to receive a list of IP addresses running SSH, and then use a separate cracking module to try and brute-force their password. This enables FritzFrog to grow exponentially by becoming more and more efficient with its attack the larger it becomes.

The active FritzFrog payload has its functionality spread among several separate threads that handle different tasks:

  • Cracker – The designated task of this thread is to brute-force SSH passwords.
  • DeployMgmt – It transfers the BLOBs to systems that have been breached successfully.
  • Owned – Registers the infected system with the peer-to-peer network that FritzFrog uses. 
  • Antivir – It looks for CPU-intensive processes and terminates them. This thread focuses on looking for processes related to XMR/Monero mining.
  • Libexec – A mining module that mines for the Monero cryptocurrency.

It is estimated that the FritzFrog botnet has already tried to brute-force the SSH servers of millions of networks, and this number is likely to continue to grow rapidly unless the operation is terminated. Malware is evolving constantly, and companies and users worldwide need to take the required security measures to keep their networks safe from harmful intruders.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to FritzFrog may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.