Botnets, as Botconf’s participants know very well, vary significantly. Their goals differ, as well as their TTPs and implementations. Nonetheless, most of them usually share the property of connecting to a remote attack server. In fact, great knowledge of the botnet can be obtained by looking at the command-and-control communication. Once a C2 server is found, a researcher can learn where the attack infrastructure is hosted, what malware is downloaded onto infected machines, and with enough luck, track down the threat actor.
When we first discovered Fritzfrog in our sensors network, we thought it was yet another cryptomining botnet. As part of our research routines, we kept looking for the C2 servers. It took us quite some time to understand that we were not going to find those servers, simply because they did not exist; Fritzfrog was a peer-to-peer (P2P) botnet.
In a P2P botnet, there is no centralized attack server. Control is distributed among the infected machines, or “nodes”, and each node has peers with which it can communicate. Peers can exchange targets, deploy binary files on each other, run scripts remotely, push and get logs from each other, etc.
The concept of P2P botnets is not new; however, it requires strong skills in design and implementation, which is why it’s been mostly used by state-sponsored and APT groups. Fritzfrog demonstrates that this is no longer the case, as P2P botnets are now used by common criminals to get the cryptomining power and access they are used to pursue.