Panchan goes after telecom and education providers using new and unique methods to thwart defenses and escalate privileges.
Akamai Security Research announced on Wednesday that it has discovered a new botnet that is attacking the Linux servers of telecom and education providers in Asia, Europe and the Americas. The botnet and cryptominer, called Panchan, first emerged from Japan in March 2022.
“We assume that collaborations between different academic institutions could lead to SSH keys being shared across networks, which could explain why this industry is at the top of the list,” the report said.
Panchan is written in the Go programming language and uses Go’s concurrency functions to maximize distribution and execute payloads.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
In addition to the standard SSH dictionary attack common in most worms, Panchan is unique in that it SSH keys to perform lateral movements, Akamai said.
“Instead of just using brute force or dictionary attacks on arbitrary IP addresses, as most botnets do, the malware also reads the id_rsa and known_hosts files to collect existing credentials and use it to move laterally across the network.” the report said.
Specifically, Panchan looks at the active HOME directory of the host computer for SSH configuration and keys. It reads the private key under ~HOME/.ssh/id_rsa and uses it to attempt to authenticate with any IP address found under ~HOME/.ssh/known_hosts.
The botnet also uses a “godmode” communications and admin panel that Akamai researchers reverse engineer to investigate the malware’s effectiveness and distribution.
“This is probably the most unique feature in the malware,” the report said. “It has an administrative panel built directly into the malware binary. To launch it, we need to pass the malware the string godmode as the first command line argument (followed by a peer list).”
To avoid detection and reduce traceability, the Panchan downloads its cryptominers as memory mapped files, with no disk present. According to Microsoft, Memory map files contain the contents of a file in virtual memory. If Panchan detects process monitoring, the cryptominer processes will be disabled.
Similar attacks are on the rise
Botnet DDoS attacks are on the rise and become hard to stop, according to a new report from Nokia.
Content delivery network and business services provider Cloudflare recently announced it stopped the biggest HTTPS DDoS attack ever† The attack generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries, from a botnet of 5,067 devices. At its peak, the bots generated over 26 million requests per second.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Panchan easy to stop
Although it uses unique methods to infect and spread, Panchan is easy to stop, Akamai said. Multi-factor authentication can reduce the risk of SSH keys being harvested. Because Panchan relies on a very simple list of default passwords to distribute, using strong SSH passwords should “stop it in its tracks,” the report said.
Akamai also recommends users:
- Use network segmentation whenever possible.
- Monitor VM resource activity for signs of botnet activity. Botnets like Panchan, whose end goal is cryptojacking, may increase machine resource utilization to abnormal levels. Constant monitoring can warn of suspicious activity.
Akamai has also published IoCs, queries, signatures and scripts that can be used to test for infection.
