A sophisticated botnet named FritzFrog has returned after a long break with new capabilities, and researchers believe it may be linked to Chinese threat actors. FritzFrog is a Golang-based malware that can be compiled to run on various architectures and it operates completely in memory. The FritzFrog botnet uses a proprietary peer-to-peer (P2P) architecture for command and control (C&C) communications.
FritzFrog has targeted SSH servers — it uses a simple brute-force technique to obtain their credentials — and once it has established an SSH session, it drops the malware and executes it.
The malware then waits for commands from its operators, including for transferring files, running scripts and binary payloads, deploying a cryptocurrency miner, and eliminating other miners from the compromised system. It also starts scanning IP addresses to spread further.