Akamai Security Research announced on Wednesday it has uncovered a new botnet attacking the Linux servers of telecom and education providers in Asia, Europe and the Americas. The botnet and cryptominer, called Panchan, first emerged from Japan in March 2022.
“We assume collaborations between different academic institutes might cause SSH keys to be shared across networks, which may explain why this vertical tops the list,” the report said.
Panchan is written in the Go programming language and utilizes Go’s concurrency features to maximize its spread and execute payloads.
“After a successful authentication to the target, the malware creates a hidden folder with a random name under the root directory /, and copies itself to the hidden folder with the name xinetd using sftp,” said Stiv Kupchik, researcher at Akamai. “The malware then remotely executes the copied binary on the target machine (using nohup) and passes it a list of peers over the command line. After a successful infection, the malware initiates an HTTPS POST operation to a Discord webhook, which is probably used for victim monitoring.”
SEE: Mobile device security policy (TechRepublic Premium)
In addition to the basic SSH dictionary attack that is commonplace in most worms, Panchan is unique in that it harvests SSH keys to perform lateral movement, Akamai said.
“Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network,” the report said.
Specifically, Panchan looks at the host machine’s running user HOME directory for SSH configuration and keys. It reads the private key under ~HOME/.ssh/id_rsa and uses it to attempt to authenticate to any IP address found under ~HOME/.ssh/known_hosts.
“It is mostly a cryptojacker, so I don’t think it is that dangerous. But it is unique. P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel,” said Kupchik.
The botnet also uses a “godmode” communication and admin panel that Akamai researchers reverse-engineered to examine the malware’s effectiveness and spread.
“This is probably the most unique feature in the malware,” the report said. “It has an administrative panel, built directly into the malware’s binary. To launch it, we need to pass the malware the string godmode as the first command line argument (followed by a peer list).”
To avoid detection and reduce traceability, the Panchan downloads its cryptominers as memory-mapped files, without any disk presence. According to Microsoft, Memory-mapped files contain the contents of a file in virtual memory. If Panchan detects any process monitoring, it kills the cryptominer processes.
Similar attacks increasing
“The most common vertical among monitored victims was education. This might be due to poor password hygiene, or it could be related to the malware’s unique lateral movement capability with stolen SSH keys. Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization/network,” Kupchik said.
Botnet DDoS attacks are on the rise and becoming hard to stop, according to a new report from Nokia.
Content delivery network and business services provider Cloudflare announced Tuesday it recently stopped the largest HTTPS DDoS attack on record. The attack generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries coming from a botnet of 5,067 devices. At its peak, the bots generated over 26 million requests per second.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Panchan easy to stop
Even though it is using unique methods to infect and spread, Panchan is easy to stop, said Akamai. Multi-factor authentication can mitigate the risk SSH key harvesting presents. Because Panchan relies on a very basic list of default passwords to spread, using strong SSH passwords “should stop it in its tracks,” the report said.
According to Kupchik, “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well.”
Akamai also recommends users:
- Use network segmentation where possible.
- Monitor VMs resource activity for signs of botnet activity. Botnets such as Panchan, whose end goal is cryptojacking, can raise machine resource usage to abnormal levels. Constant monitoring can alert on suspicious activity.
Akamai also has published IoCs, queries, signatures and scripts that can be used to test for infection.