A new Golang-based P2P Panchan botnet targets Linux servers

Golang P2P Panchan Botnet Linux Servers Cryptojacking Miner

A new Go language-based peer-to-peer botnet dubbed Panchan has been observed by researchers targeting the Linux servers in the academic sector since it started appearing last March.

The researchers stated that the malware utilises a built-in concurrency functionality to maximise its propagation and run malware modules. Additionally, they noticed that the Panchan botnet could harvest the SSH key to operate lateral movement across the infected device.

The heavily packed botnet relies on an essential list of default SSH passwords to execute a dictionary campaign and expand its threat landscape. Panchan’s primary function is also classified as crypto jacked designed to hijack a device’s resources to mine cryptocurrency wallets.

Panchan’s initial activities was detected last March and the experts attributed the malware to a Japan-based malicious threat group, since the language used in the admin panel was loaded into the binary to alter the mining configuration.

 

Panchan botnet reportedly used a couple of miners for its attacks.

 

The analysis revealed that Panchan had used and launched two miners called nbhash and XMRig. During runtime, the miners are not extracted to the disk to avoid leaving a trace and minimise the chances of being analysed.

However, the researchers discovered that the malware drops its cryptominers as memory-mapped files without any disk presence to reduce traceability and avoid detection.

About 40 active peers are currently detected out of the 209 infected devices. Most compromised devices are in Asia, Europe, North America, South America, Oceania, and Africa. An interesting detail as to what caused the malware’s origin to be discovered is the result of an OPSEC failure on the side of the threat operators. The threat actors accidentally revealed a link to a Discord server portrayed in the god mode admin panel.

Researchers said that the main chat of threat actors was vacated except for a greeting from one of its members in March. They concluded that the threat actors’ chats were only available to members with higher privileges for accessing the server.

About the author

Leave a Reply