New botnet and cryptominer Panchan attacking Linux servers

Panchan is going after telecom and education providers using novel and unique methods to thwart defenses and escalate privileges.

Virus malware detected on PC concept, viruses attack warning signs, hacking alert messages with small people vector flat illustration, suitable for background, advertising illustration
Image: lartestudio/Adobe Stock

Akamai Security Research announced on Wednesday it has uncovered a new botnet attacking the Linux servers of telecom and education providers in Asia, Europe and the Americas. The botnet and cryptominer, called Panchan, first emerged from Japan in March 2022.

“We assume collaborations between different academic institutes might cause SSH keys to be shared across networks, which may explain why this vertical tops the list,” the report said.

Panchan is written in the Go programming language and utilizes Go’s concurrency features to maximize its spread and execute payloads.

SEE: Mobile device security policy (TechRepublic Premium)

In addition to the basic SSH dictionary attack that is commonplace in most worms, Panchan is unique in that it harvests SSH keys to perform lateral movement, Akamai said.

“Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network,” the report said.

Specifically, Panchan looks at the host machine’s running user HOME directory for SSH configuration and keys. It reads the private key under ~HOME/.ssh/id_rsa and uses it to attempt to authenticate to any IP address found under ~HOME/.ssh/known_hosts.

The botnet also uses a “godmode” communication and admin panel that Akamai researchers reverse-engineered to examine the malware’s effectiveness and spread.

“This is probably the most unique feature in the malware,” the report said. “It has an administrative panel, built directly into the malware’s binary. To launch it, we need to pass the malware the string godmode as the first command line argument (followed by a peer list).”

To avoid detection and reduce traceability, the Panchan downloads its cryptominers as memory-mapped files, without any disk presence. According to Microsoft, Memory-mapped files contain the contents of a file in virtual memory. If Panchan detects any process monitoring, it kills the cryptominer processes.

Similar attacks increasing

Botnet DDoS attacks are on the rise and becoming hard to stop, according to a new report from Nokia.

Content delivery network and business services provider Cloudflare announced Tuesday it recently stopped the largest HTTPS DDoS attack on record. The attack generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries coming from a botnet of 5,067 devices. At its peak, the bots generated over 26 million requests per second.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Panchan easy to stop

Even though it is using unique methods to infect and spread, Panchan is easy to stop, said Akamai. Multi-factor authentication can mitigate the risk SSH key harvesting presents. Because Panchan relies on a very basic list of default passwords to spread, using strong SSH passwords “should stop it in its tracks,” the report said.

Akamai also recommends users:

  • Use network segmentation where possible.
  • Monitor VMs resource activity for signs of botnet activity. Botnets such as Panchan, whose end goal is cryptojacking, can raise machine resource usage to abnormal levels. Constant monitoring can alert on suspicious activity.

Akamai also has published IoCs, queries, signatures and scripts that can be used to test for infection.

Roy Walsh

Related post