Akamai security researchers discovered a new Golang-based P2P Botnet, tracked as Panchan, that is targeting Linux servers that has been active since March 2022.
Panchan uses basic SSH dictionary attack to implement wormable behavior, it also harvests SSH keys and uses them for lateral movement.
The bot uses “its built-in concurrency features to maximize spreadability and execute malware modules.”
The botnet is engaged in cryptomining activity, the malicious code has been designed to hijack the computer’s resources to mine cryptocurrencies. The bot was observed using XMRig and nbhash miners that aren’t extracted to the disk to avoid detection.
“The malware deploys two miners — xmrig and nbhash. Both miner binaries come base64-encoded inside the malware binary itself and are extracted and executed during runtime. There is some novelty to the execution, however, as the miners aren’t extracted to the disk at all.” reads the analysis published by the experts. “To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, without any disk presence. It also kills the cryptominer processes if it detects any process monitoring.”
The researchers observed the malware implementing a “godmode,” an admin panel that operators use to edit the mining configuration, which is then distributed to all the nodes of botnet. Threat actors were observed using a private key to access godmode in order to prevent unwanted tampering,
The bot contains a public key associated with the above private key and is used to authenticate connections. The admin panel is written in Japanese, a circumstance that suggests the threat actors is likely of Japanese origin.
The experts performed reverse-engineering of the bot, they were also able to develop a script to map the botnet and extract the full list of infected machines. At the time of the analysis, the researchers discovered 209 peers, 40 of which are currently active.
Most of the infections are in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1).
Once infected a system, the bot starts an HTTPS POST operation to a Discord webhook, which operators likely use for victim monitoring.
In order to achieve persistence, the malware copies itself to /bin/systemd-worker and creates a systemd service with the same name. Experts pointed out that operators are likely mimicking legitimate systemd services to avoid detections.
The report also includes a detailed description of the bot reversing activity.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit: