A new Golang-based peer-to-peer botnet targeting Linux servers


Since its emergence in March 2022, a new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector.

dubbed panchan by Akamai Security Research, the malware “uses its built-in concurrency features to maximize distribution and execute malware modules” and “harvest SSH keys to perform lateral movements.”

The feature-packed botnet, which relies on a basic list of standard SSH passwords to dictionary attack and increasing its reach functions primarily as a cryptojacker designed to hijack a computer’s resources to mine cryptocurrencies.

The cybersecurity and cloud services company noted that it first spotted Panchan’s activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration.

Panchan has been known to deploy and execute two miners, XMRig and nbhash, on the host at runtime, with the novelty of not extracting the miners to disk to avoid leaving a forensic trail.

“To avoid detection and reduce traceability, the malware drops its cryptominers as memory-mapped files, with no disk present,” the researchers said. “It also kills the cryptominer processes if it detects process monitoring.”

Of the 209 infected peers detected so far, 40 are said to be currently active. Most of the compromised machines are in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1) and Oceania (1).

An interesting clue to the origin of the malware is the result of an OPSEC error on the part of the threat actor, revealing the link to a Discord server displayed in the “godmode” admin panel.

“The main chat was empty except for a greeting from another member that took place in March,” the researchers said. “Other chats may only be available to higher privileged members of the server.”