wormable-panchan-peer-to-peer-botnet-harvests-linux-server-keys

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys

A peer-to-peer (P2P) botnet and worm called Panchan has been actively breaching Linux servers and harvesting Secure Shell (SSH) keys to perform lateral movement — at times brute-forcing credentials.

That’s according to researchers from Akamai, who discovered the botnet in late March. Written in Golang, it parses local SSH private keys and known hosts on each victim (using a static dictionary), then uses them to spread itself further.

While it could use the botnet for anything, Panchan is focused on a cryptojacking endgame for now. 

“It is mostly a cryptojacker, so I don’t think it’s that dangerous. But it is unique,” Akamai researcher Stiv Kupchik says. “P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel. Also, I don’t think I’ve ever seen a Japanese threat actor.”

The malware is believed to have Japanese origins (it’s name is a possible reference to Panchan Rina, the Japanese kickboxer), and focuses on attacking telecommunications education providers in Asia, Europe, and North America.

From Kupchik’s perspective, education was likely a highly targeted vertical because of the SSH-key harvesting aspect of the botnet.

“I have seen some victim institutes that were in the same country, or very close geographically,” he says. “I think that academic collaborations between institutes might yield a higher percentage of shared SSH keys than in other verticals, so maybe that is the reason.”

Unique Botnet Features

The malware — which deploys two miners, XMrig and nbhash, has a handful of unique technical features, according to the Akamai researchers. For one, it uses NiceHash for its mining pools and wallets. Because Nicehash is a regular wallet (using certain defined Bitcoin addresses for deposits) and not a blockchain wallet, Akamai was unable to see transaction and mining details to estimate the actual revenue that Panchan has earned.

Further, to hamper traceability, the cryptominers are dropped as memory-mapped files without any disk presence, and the cryptomining can be terminated if any process monitoring is detected. 

There’s also a “godmode” feature baked into the malware, in the form of an admin panel that can edit the mining configuration — another unique feature of Panchan, according to the firm.

Defeating Panchan

Because the malware uses a basic list of default passwords to spread, Kupchik says one of the key steps security teams can take to stop the malware in its tracks is through password hardening.

“The dictionary that the malware uses to spread is extremely basic, so any non-default password should help thwart it,” he explains. “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well.”

He adds that Akamai has published indicators of compromise, queries, signatures, and scripts that organizations can use to test for infection.

The report also recommends continuous monitoring of virtual machine resources. Monitoring could alert security teams to suspicious activity since botnets focused on cryptojacking can raise machine resource usage to abnormal levels.

“In the case of Panchan, resource usage monitoring would have also terminated the cryptomining entirely,” according to the report.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…