July 14, 2024

A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022.

Dubbed Panchan by Akamai Security Research, the malware “utilizes its built-in concurrency features to maximize spreadability and execute malware modules” and “harvests SSH keys to perform lateral movement.”

The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a dictionary attack and expand its reach, primarily functions as a cryptojacker designed to hijack a computer’s resources to mine cryptocurrencies.

The cybersecurity and cloud service company noted it first spotted Panchan’s activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration.

Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host during runtime, the novelty being that the miners aren’t extracted to the disk to avoid leaving a forensic trail.

“To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, without any disk presence,” the researchers said. “It also kills the cryptominer processes if it detects any process monitoring.”

Of the 209 infected peers detected so far, 40 are said to be currently active. Most of the compromised machines are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1).

An interesting clue as to the malware’s origins is the result of an OPSEC failure on the part of the threat actor, revealing the link to a Discord server that’s displayed in the “godmode” admin panel.

“The main chat was empty except a greeting of another member that occurred in March,” the researchers said. “It could be that other chats are only available to higher privileged members of the server.”