Link directory

New botnet and cryptominer Panchan attacks Linux servers

Panchan is suing telecommunications and education providers using new and unique methods to thwart defenses and increase privileges.

Image: lartestudio/Adobe Stock

Akamai Security Research announced on Wednesday that it discovered a new botnet attacking the Linux servers of telecommunications and education providers in Asia, Europe and the Americas. The botnet and cryptominer, called Panchan, first appeared in Japan in March 2022.

“We speculate that collaborations between different academic institutes could result in SSH keys being shared across networks, which may explain why this vertical tops the list, the report says.

Panchan is written in the Go programming language and uses Go’s concurrency features to maximize its propagation and execute payloads.

SEE: Mobile Device Security Policy (TechRepublic Premium)

In addition to the basic SSH dictionary attack that is common in most worms, Panchan is unique in that it harvests SSH keys to perform lateral movement, Akamai said.

“Instead of just using brute force or dictionary attacks on random IP addresses like most botnets do, the malware also reads id_rsa and known_hosts files to harvest existing credentials and use them to move laterally on the network,” the report said.

Specifically, Panchan examines the host machine’s running user’s HOME directory for configuration and SSH keys. It reads the private key under ~HOME/.ssh/id_rsa and uses it to attempt to authenticate to any IP address found under ~HOME/.ssh/known_hosts.

The botnet also uses a “godmode” communication and administration panel that Akamai researchers reverse-engineered to examine the malware’s effectiveness and spread.

“This is probably the most unique feature of the malware,” the report said. “It has an administration panel, built directly into the malware binary. To launch it, we need to pass the string godmode to the malware as the first command line argument (followed by a list of peers).

To avoid detection and reduce traceability, the Panchan downloads its cryptominers as memory-mapped files, with no presence on disk. According to Microsoft, memory-mapped files contain the contents of a file in virtual memory. If Panchan detects process monitoring, it kills cryptomining processes.

Similar attacks on the rise

Botnet DDoS attacks are on the rise and becoming difficult to stop, according to a new report from Nokia.

Content delivery network and business services provider Cloudflare announced on Tuesday that it recently stopped the largest HTTPS DDoS attack on record. The attack generated over 212 million HTTPS requests from over 1,500 networks in 121 countries from a botnet of 5,067 devices. At its peak, bots generated over 26 million requests per second.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Panchan easy to stop

Although he uses unique methods to infect and spread, Panchan is easy to stop, Akamai said. Multi-factor authentication can mitigate the risk of collecting SSH keys. Because Panchan relies on a very basic list of default passwords to propagate, using strong SSH passwords “should stop it dead,” the report says.

Akamai also recommends that users:

  • Use network segmentation whenever possible.
  • Monitor virtual machine resource activity for signs of botnet activity. Botnets such as Panchan, whose end goal is cryptojacking, can increase machine resource usage to abnormal levels. Constant monitoring can alert to suspicious activity.

Akamai has also released IoCs, queries, signatures, and scripts that can be used to test for infection.