P2P Botnet Panchan Attacks Linux Servers

P2P botnet Panchan
Written by Carina Wilson

Akamai reports that in March 2022, a new P2P botnet Panchan appeared, which targets Linux servers (mainly in the educational sector) and mines cryptocurrency.

Let me remind you that we wrote that Operators of the Clipminer Botnet “Earned” More Than $1.7 Million, and also that 61% of malicious ads target Windows users.

Panchan is written in Go and has the functionality of an SSH worm, that is, it can perform dictionary attacks and abuse SSH keys to quickly move sideways on a compromised network.

In fact, Panchan infects new hosts by finding and using existing SSH keys, as well as by brute force logins and passwords. After success at this stage, it creates a hidden folder in which it hides under the name xinetd.

The malware then executes the binary and initiates an HTTPS POST to the Discord webhook, which is likely used to track the victim.

To gain a foothold in the system, Panchan copies itself to /bin/systemd-worker and creates a new systemd service to start after a reboot, that is, it disguises itself as a normal system service.

P2P botnet Panchan

On the infected system, Panchan deploys and runs two miners, XMRig and nbhash, and the miners are not extracted to disk so as not to leave traces.

To avoid detection and reduce the likelihood of being tracked, malware deploys cryptominers as memory-mapped files, without any presence on disk. Panchan also eliminates mining processes if it detects signs of monitoring.the analysts write.

It is reported that in total, researchers were able to detect 209 peers in the Panchan P2P network, although only 40 of them are currently active, and these systems are mainly located in Asian countries.

The researchers say that most of the victims are related to the education sector, which matches the methods of distribution of malware and facilitates the growth of botent. The fact is that when conducting international academic research, ideal conditions are created for the spread of malware, because such projects are characterized by poor “digital hygiene” in the field of passwords and the sharing of SSH keys.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment