Recently, cybersecurity researchers have identified a new Golang-based peer-to-peer (P2P) botnet, named Panchan, that has been actively targeting Linux servers within the education sector since its debut in March 2022. This malware exploits built-in concurrency features to enhance its propagation and deploy malicious modules, specifically by harvesting SSH keys to facilitate lateral movement across compromised systems.
Panchan employs a primarily straightforward approach to compromise systems, relying on a default list of SSH passwords to execute dictionary attacks aimed at expanding its reach. Once infiltrated, it primarily functions as a cryptojacker, utilizing the victim’s computing resources to mine cryptocurrencies covertly. The initial identification of this botnet’s activity was noted on March 19, 2022, with investigators inferring that a likely Japanese threat actor is behind it, indicated by the language used in the admin panel present within the malware’s binary.
Unique among its features, Panchan is capable of deploying two specific miners, XMRig and nbhash, directly into the memory of the host system during runtime, circumventing the need for disk storage, thereby minimizing the risk of detection. This characteristic allows the malware to create memory-mapped files, entirely evading traditional forensic trails. Researchers indicated that proactive measures are incorporated within the architecture of the malware, as it terminates cryptominer processes upon detecting any active monitoring processes, which contributes significantly to its stealthy operation.
As of the latest reports, 209 infected peers have been detected, with 40 currently active, and the majority of these compromised systems are concentrated in Asia (64). Additionally, Europe hosts 52, North America 45, while South America, Africa, and Oceania report fewer infected machines with 11, 1, and 1, respectively. The geographical spread underscores the botnet’s growing threat landscape, particularly within the education sector.
A noteworthy insight into the attacker’s operational security flaws emerged from a link found in the “godmode” admin panel that connects to a Discord server. The chat activity within this server appeared sparse, consisting of a single greeting from another member in March, suggesting that further conversations may be restricted to privileged members, hence obscuring full access to their operational communications.
This incident highlights potential adversary tactics aligned with the MITRE ATT&CK framework, including initial access through compromised credential acquisition and lateral movement via SSH key harvesting. The attack underscores critical vulnerabilities faced by educational institutions, particularly in securing their Linux environments against such sophisticated threats. As organizations grapple with the growing risks of cybersecurity threats like Panchan, a heightened focus on strengthening access controls and adopting proactive monitoring solutions will be imperative to mitigating future incidents.
