New Peer-to-Peer Botnet Installs Linux Servers With Cryptominers

Share post:

A new peer-to-peer botnet named Panchan is targeting Linux servers in the education sector to mine cryptocurrency.

Panchan, discovered in the wild in March 2022, has SSH worm functions like dictionary attacks and SSH key abuse to do rapid lateral movement to available machines within the compromised network.

Moreover, it possesses superior detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to cease the mining module instatntly.

Akamai analysts spotted the novel threat and analyzed it, deducing that the threat actor behind this new botnet is most probably Japanese.

Panchan was written in Golang, a versatile programming language that simplifies the targeting of different system architectures.

It infects new hosts by locating and using existing SSH keys or brute-forcing usernames and passwords. It then creates a hidden folder where it hides itself under the name “xinetd.”

Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, used likely to monitor the victim.

To establish persistence, the malware copies itself to “/bin/systemd-worker” and builds a new systemd service to launch after reboot while posing as a legitimate system service.

Akamai reverse-engineered the malware to map it and discovered 209 compromised systems, 40 of which are presently active.

Majority of the victims are from the education sector, as it matches Panchan’s spreading methods and expedites its rapid growth.

Poor password hygiene and excessive SSH key sharing to cater to international academic research collaborations are the ideal conditions for the botnet to spread.

To protect one’s network against these types of attacks, Akamai suggests the use of complex passwords, employing MFA on all accounts, limiting SSH access, and consistently monitoring VM resource activity.

For more information, read the original story in Bleepingcomputer.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL...

This episode reports on a US$10 million reward for a ransomware gang, a new Linux version of a backdoor

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways