Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers

A new Golang-based peer-to-peer (P2P) botnet has been spotted
actively targeting Linux servers in the education sector since its
emergence in March 2022.

Dubbed Panchan^[1] by Akamai Security
Research, the malware “utilizes its built-in concurrency features
to maximize spreadability and execute malware modules” and
“harvests SSH keys to perform lateral movement.”

The feature-packed botnet, which relies on a basic list of
default SSH passwords to carry out a dictionary attack^[2]
and expand its reach, primarily functions as a cryptojacker
designed to hijack a computer’s resources to mine
cryptocurrencies.

The cybersecurity and cloud service company noted it first
spotted Panchan’s activity on March 19, 2022, and attributed the
malware to a likely Japanese threat actor based on the language
used in the administrative panel baked into the binary to edit the
mining configuration.

Panchan is known to deploy and execute two miners, XMRig and
nbhash, on the host during runtime, the novelty being that the
miners aren’t extracted to the disk to avoid leaving a forensic
trail.

“To avoid detection and reduce traceability, the malware drops
its cryptominers as memory-mapped files, without any disk
presence,” the researchers said. “It also kills the cryptominer
processes if it detects any process monitoring.”

Of the 209 infected peers detected so far, 40 are said to be
currently active. Most of the compromised machines are located in
Asia (64), followed by Europe (52), North America (45), South
America (11), Africa (1), and Oceania (1).

An interesting clue as to the malware’s origins is the result of
an OPSEC failure on the part of the threat actor, revealing the
link to a Discord server that’s displayed in the “godmode” admin
panel.

“The main chat was empty except a greeting of another member
that occurred in March,” the researchers said. “It could be that
other chats are only available to higher privileged members of the
server.”