A recent Golang-based peer-to-peer (P2P) botnet has been targeting Linux servers in the education sector since it emerged in March 2022.
Akami Security Research calls the malware Panchan and says that the malware “utilizes its built-in concurrency features to maximize spreadability and execute malware modules” and “harvests SSH keys to perform lateral movement.”
The feature-packed botnet relies on a basic list of default SSH passwords to execute a dictionary attack and expand its reach. The botnet functions as a cryptojacker to hijack a computer’s resources to steal cryptocurrencies.
The cybersecurity and cloud service company noted it first spotted Panchan’s activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration.
The cybersecurity and cloud service company first observed Panchan’s activity on March 19, 2022, they put it down on a Japanese threat actor based on the language used in the administrative panel as part of the binary to edit the mining configuration.
Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host during runtime, the novelty being that the miners aren’t extracted to the disk to avoid leaving a forensic trail.
“To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, without any disk presence,” the researchers said. “It also kills the cryptominer processes if it detects any process monitoring.”
Of the 209 infected peers detected so far, 40 are said to be currently active. Most of the compromised machines are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1).
An interesting clue as to the malware’s origins is the result of an OPSEC failure on the part of the threat actor, revealing the link to a Discord server that’s displayed in the “godmode” admin panel.
“The main chat was empty except a greeting of another member that occurred in March,” the researchers said. “It could be that other chats are only available to higher privileged members of the server.”