New Peer-to-Peer Botnet Installs Linux Servers With Cryptominers

Share post:

A new peer-to-peer botnet named Panchan is targeting Linux servers in the education sector to mine cryptocurrency.

Panchan, discovered in the wild in March 2022, has SSH worm functions like dictionary attacks and SSH key abuse to do rapid lateral movement to available machines within the compromised network.

Moreover, it possesses superior detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to cease the mining module instatntly.

Akamai analysts spotted the novel threat and analyzed it, deducing that the threat actor behind this new botnet is most probably Japanese.

Panchan was written in Golang, a versatile programming language that simplifies the targeting of different system architectures.

It infects new hosts by locating and using existing SSH keys or brute-forcing usernames and passwords. It then creates a hidden folder where it hides itself under the name “xinetd.”

Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, used likely to monitor the victim.

To establish persistence, the malware copies itself to “/bin/systemd-worker” and builds a new systemd service to launch after reboot while posing as a legitimate system service.

Akamai reverse-engineered the malware to map it and discovered 209 compromised systems, 40 of which are presently active.

Majority of the victims are from the education sector, as it matches Panchan’s spreading methods and expedites its rapid growth.

Poor password hygiene and excessive SSH key sharing to cater to international academic research collaborations are the ideal conditions for the botnet to spread.

To protect one’s network against these types of attacks, Akamai suggests the use of complex passwords, employing MFA on all accounts, limiting SSH access, and consistently monitoring VM resource activity.

For more information, read the original story in Bleepingcomputer.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways