Back to top
  • 공유 Share
  • 인쇄 Print
  • 글자크기 Font size
URL copied.

Cryptojacking malware that installs XMR cryptocurrency mining app discored

작성자 기본 이미지
Mark Jason Alcala reporter

Fri, 21 Aug 2020, 07:11 am UTC

FritzFrog is a cryptojacking malware that installs XMRig, a cryptocurrency mining app that mines Monero (XRM).

Wikimedia Commons

A cryptojacking malware that has affected millions of IP addresses has been discovered by Guardicore Labs. Known as FritzFrog, the malware targeted government facilities, hospitals, universities, and financial institutions.

“Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020,” Guardicore said in a post.

The malware seems bent on targeting government, education, healthcare, telecom, and finance-related networks. Once infected, the malware then installs its targets with XMRig, a cryptocurrency mining app that mines Monero (XMR), according to Cointelegraph.

“FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks, and numerous telecom companies,” Guardicore noted. A brute force attack is where an attacker submits numerous passwords or passphrases until eventually guessing the correct one.

According to the Tel-Aviv-based data center and cloud security firm, the cryptojacking malware has already infected hundreds of servers from both sides of the Atlantic. “Among those, it has successfully breached more than 500 servers, infecting well-known universities in the U.S. and Europe, and a railway company,” Guardicore said.

Guardicore said that the malware is very stealthy and difficult to detect. “Unlike other P2P botnets, FritzFrog combines a set of properties that makes it unique: it is fileless, as it assembles and executes payloads in-memory,” the firm noted, adding that it “is completely volatile and leaves no traces on the disk. It creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.”

What is known is that it is written in Golang. At the moment, there are already 20 different versions of the cryptojacking malware.

The security firm said that the malware is likely one of its kind and written by experts. “FritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,” Guardicore added.

The security firm offered a few recommendations to help guard against the malware. “We recommend choosing strong passwords and using public-key authentication, which is much safer,” Guardicore said. “In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine.”

TokenPost | [email protected]

<Copyright ⓒ TokenPost, unauthorized reproduction and redistribution prohibited>

Most Popular

Comment 6

0/1000

alert("SQLSTATE[42S02]: Base table or view not found: 1146 Table \'tokenpostcom.ExperienceClient\' doesn\'t exist");