Akamai reports that in March 2022, un new P2P botnet Panchan appeared, which targets Linux servers (mainly in the educational sector) and mines cryptocurrency.
Let me remind you that we wrote that Opérateurs du Botnet Clipminer »Gagné" Plus que $1.7 Million, et aussi que 61% of malicious ads target Windows users.
Panchan is written in Go and has the functionality of an SSH worm, that is, it can perform dictionary attacks and abuse SSH keys to quickly move sideways on a compromised network.
En fait, Panchan infects new hosts by finding and using existing SSH keys, as well as by brute force logins and passwords. After success at this stage, it creates a hidden folder in which it hides under the name xinetd.
The malware then executes the binary and initiates an HTTPS POST to the Discord webhook, which is likely used to track the victim.
To gain a foothold in the system, Panchan copies itself to /bin/systemd-worker and creates a new systemd service to start after a reboot, that is, it disguises itself as a normal system service.
On the infected system, Panchan deploys and runs two miners, XMRig et nbhash, and the miners are not extracted to disk so as not to leave traces.
It is reported that in total, researchers were able to detect 209 peers in the Panchan P2P network, although only 40 of them are currently active, and these systems are mainly located in Asian countries.
The researchers say that most of the victims are related to the education sector, which matches the methods of distribution of malware and facilitates the growth of botent. The fact is that when conducting international academic research, ideal conditions are created for the spread of malware, because such projects are characterized by poor “digital hygiene” in the field of passwords and the sharing of SSH keys.
Laissez un commentaire