Linux users should beware of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device’s memory.
The Panchan P2P botnet was discovered by Akamai researchers in March and the company is now warning that it could take advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks .
But rather than steal intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai.
Using other people’s hardware to mine cryptocurrency may not be as lucrative as it once was due to the ongoing crypto crash, but Panchan’s mining rig costs nothing to the troublemakers who use it.
Panchan is a cryptojacker that was written in the Go programming language. Cryptojackers abuse the computing power of others to mine cryptocurrency.
Panchan’s P2P protocol communicates in the clear over TCP but can escape surveillance, according to Akamai. The malware has a “godmode” administration panel, protected by a private key, to remotely control and distribute mining configurations.
“The admin panel is written in Japanese, which alludes to the geolocation of the creator,” notes Akamai’s Steve Kupchik.
“The botnet introduces a unique (and possibly novel) approach to lateral movement by harvesting SSH keys. Instead of simply using brute force or dictionary attacks on random IP addresses as most botnets do, the malware also reads id_rsa and known_hosts files to harvest existing IDs and use them to move laterally on the network.”
The authors of Panchan are apparently fans of the Go programming language, which was created by Google engineers in 2007. Whoever wrote Panchan compiled the malware using Go version 1.18, which Google released in March.
As for the P2P network, Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.
Why is education more impacted by Panchan?
Akamai speculates that this could be due to poor password hygiene or the malware moving around the network with stolen SSH keys.
“Researchers from different academic institutions might collaborate more frequently than employees in the corporate sector and require credentials to authenticate on machines outside their organization/network. Reinforcing this hypothesis, we saw that some of the universities involved were from the same country (e.g. Spain) and others were from the same region (e.g. Taiwan and Hong Kong),” Kupchik notes.
The functionality of the malware worm relies on SSH which is acquired by searching for existing SSH keys or trying guessable or default credentials.