"New Peer-To-Peer Botnet Panchan Infects Linux Servers With Cryptominers"

Around March 2022, a new peer-to-peer botnet called Panchan emerged in the wild, mining cryptocurrencies on Linux computers in the education sector. Panchan is equipped with SSH worm functions such as dictionary attacks and SSH key abuse, allowing rapid lateral movement to workstations in the infiltrated network. It also offers powerful detection evasion features, such as employing memory-mapped miners and dynamically detecting process monitoring to promptly halt the mining module. According to Akamai, whose analysts discovered and studied the unique threat, the threat actor behind this new project is most likely Japanese. Panchan is written in Golang, a versatile programming language that allows for simpler targeting of various system architectures. It spreads to new hosts by discovering and exploiting existing SSH keys or brute-forcing usernames and passwords. Following success at this stage, Panchan creates a secret folder in which it hides itself under the name "xinetd." The malware then runs the binary and sends an HTTPS POST request to a Discord webhook, which is most likely used to watch the user. To maintain persistence, the malware copies itself to "/bin/systemd-worker" and establishes a new systemd service to begin after a reboot, masquerading as a normal system service. Akamai reverse-engineered the malware in order to map it and discovered 209 infected systems, 40 of which are still operational. This article continues to discuss recent findings regarding the Panchan peer-to-peer botnet and what creates ideal conditions for the botnet to expand. 

Bleeping Computer reports "New Peer-To-Peer Botnet Panchan Infects Linux Servers With Cryptominers"