Botnet

A new peer-to-peer botnet named Panchan appeared in the wild around March 2022,  targeting Linux servers in the education sector to mine cryptocurrency.

Panchan is empowered with SSH worm functions like dictionary attacks and SSH key abuse to perform rapid lateral movement to available machines in the compromised network.

At the same time, it has powerful detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to stop the mining module immediately.

According to Akamai, whose analysts spotted the novel threat and analyzed it in a report shared with Bleeping Computer, the threat actor behind this new project is most likely Japanese.

The Panchan operation

Panchan was written in Golang, a versatile programming language that makes it easier to target different system architectures.

It infects new hosts by locating and using existing SSH keys or brute-forcing usernames and passwords. After success at this stage, it creates a hidden folder to hide itself inside under the name "xinetd."

Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, which is likely used for monitoring the victim.

To establish persistence, the malware copies itself to "/bin/systemd-worker" and creates a new systemd service to launch after reboot while masquerading as a legitimate system service.

Communication between the botnet and the C2 isn't encrypted and uses TCP port 1919. The configurations sent to the malware concern either the miner configuration or updating the peer list.

The malware also features a "godmode," an admin panel that can be accessed using a private key only the adversaries possess.

Akamai modified the program to remove this security measure and found that the admin panel features a configuration overview, host status, peer stats, and miner settings, while it also gives operators updating options.

Admin panel greeting with current configuration
Admin panel greeting with current configuration (Akamai)

The miner binaries, xmrig and nbhash, are file-less, decoded from their base64 form and executed during runtime in memory, so they never touch the disk.

Panchan uses NiceHash for its mining pools and wallets, so Akamai's analysts couldn't trace transactions or estimate the size of the mining operation, profit, etc., since they're not on a public blockchain.

The malware also features an anti-kill system that detects process termination signals and ignores them unless it's SIGKILL which isn't handled.

Targets and impact

Akamai reverse-engineered the malware to map it and found 209 compromised systems, 40 of which are currently active.

Panchan peers (victims) heatmap
Panchan peers/victims heat map (Akamai)

Most of the victims are in the education sector, probably because it matches Panchan's spreading methods and makes its rapid growth easier.

Poor password hygiene and excessive SSH key sharing to accommodate international academic research collaborations create the ideal conditions for the botnet to proliferate.

This hypothesis is further backed by findings of infected clusters of universities in Spain, Taiwan, and Hong Kong.

The impact relates to resource hijacking, which in educational institutes might impede research work or interfere with the provision of various public-facing services.

To prevent these types of attacks, Akamai suggests that potential targets use complex passwords, add MFA on all accounts, limit SSH access, and constantly monitor VM resource activity.

Related Articles:

Cisco warns of password-spraying attacks targeting VPN services

Hackers exploit Ray framework flaw to breach servers, hijack resources

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

New SSH-Snake malware steals SSH keys to spread across the network

New Migo malware disables protection features on Redis servers