A Golang-based peer-to-peer (P2P) botnet has been targeting Linux servers in the education sector. The botnet is called Panchan and the attacks using this threat have been ongoing since March.
Panchan: A new botnet
According to Akamai Security Research, the botnet uses built-in concurrency features to spread widely and runs malware modules.
- It harvests SSH keys to carry out the lateral movement. For this, it uses a basic list of default SSH passwords to perform dictionary attacks and expand its reach.
- The botnet’s primary function is to hijack resources to mine cryptocurrencies.
Cryptojacking
During runtime, the botnet has been observed deploying and executing two miners, nbhash and XMRig on the host.
- These two miners aren't extracted onto the disk, but kept in memory only, leaving no forensic trail.
- Further, the botnet kills crypto miner processes if it spots any process monitoring.
There was a total of 209 infected peers identified, out of which 40 are currently active and most machines are based in Asia (64), along with Europe (52), North America (45), South America (11), Oceania (1), and Africa (1).
Attribution
Panchal's activity was spotted first on March 19 and linked with a Japanese threat group based on the language used in the administrative panel inside the binary, used to edit the mining configuration.
- Another clue to the botnet’s origin is the result of an OPSEC failure of the threat actor. Due to that error, the link to a Discord server was exposed and displayed in the ‘godmode’ admin panel, which revealed the details to researchers.
Prevention and mitigation
Researchers have created a repository with IOCs, Yara, and Snort signatures to test for infection. Additionally, a bash script is developed by the researchers that can be run on a virtual machine. Further, it is suggested to use secure and complex passwords and make sure to configure Multi-Factor Authentication (MFA) where possible.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e459_shutterstock_1096870349.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_140447272.jpg)
