Panchan, a new peer-to-peer botnet that mines cryptocurrency on Linux servers in the education sector, first surfaced in the wild in March 2022. It is equipped with SSH worm features such as dictionary attacks and SSH key abuse, allowing it to quickly spread from hacked network computers to vulnerable network machines.
It also offers advanced detection avoidance features, such as memory-mapped miners and dynamically detecting process monitoring to promptly halt the mining module. According to Akamai, whose experts identified the unique danger and studied it in a report, the threat actor behind this new initiative is most likely Japanese.
Panchan was created in Golang, a flexible programming language that allows it to target a wide range of system architectures. It infects new hosts by discovering and exploiting existing SSH keys, as well as brute-forcing usernames and passwords. It creates a secret folder called “xinetd” to conceal itself within after achieving success at this level. Finally, the malware runs the program and sends an HTTPS POST request to a Discord webhook, which is most likely used to keep track of the victim.
To maintain persistence, the malware replicates itself to “/bin/systemd-worker” and establishes a new systemd service that will start after a reboot, posing as a normal system service. The botnet and the C2 communicate via TCP port 1919, which is not encrypted. The configurations given to the malware are either miner configuration or maintaining the peer list.
The malware also has a “godmode,” an admin panel accessible only with a private key that only the attackers have. The admin page, which Akamai updated to remove this security precaution, includes a configuration overview, host status, peer stats, miner settings, and operator updating options. The miner binaries, Xmrig and nbhash, are fileless, decoded of their base64 form, and performed in memory during runtime. So they wouldn’t contact the disk.
Since Panchan’s mining pools and wallets employ NiceHash, Akamai’s researchers could not track transactions or estimate the scale of the mining operation, profit, or other factors because the transactions were not on a public blockchain. The malware also has an anti-kill system that detects and ignores process termination signals, except for SIGKILL, which isn’t handled.
In order to map the malware, Akamai reverse-engineered it and discovered 209 infected computers, 40 of which are actively operational. Most victims are in the education sector, which fits Panchan’s spreading techniques and facilitates rapid development. The botnet thrives in environments where password hygiene is poor and SSH keys are shared excessively to support worldwide academic research partnerships.
The discoveries of infected clusters of institutions in Spain, Taiwan, and Hong Kong support this notion. The impact is related to resource hijacking, which can obstruct research and interfere with the delivery of different public-facing services in educational institutions. According to Akamai, potential targets should use complicated passwords, enable multi-factor authentication to all accounts, limit SSH access, and continually monitor VM resource activity.
