A peer-to-peer (P2P) botnet and worm called Panchan has been actively breaching Linux servers and harvesting Secure Shell (SSH) keys to perform lateral movement — at times brute-forcing credentials.
That's according to researchers from Akamai, who discovered the botnet in late March. Written in Golang, it parses local SSH private keys and known hosts on each victim (using a static dictionary), then uses them to spread itself further.
While it could use the botnet for anything, Panchan is focused on a cryptojacking endgame for now.
"It is mostly a cryptojacker, so I don't think it's that dangerous. But it is unique," Akamai researcher Stiv Kupchik says. "P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel. Also, I don't think I've ever seen a Japanese threat actor."
The malware is believed to have Japanese origins (it's name is a possible reference to Panchan Rina, the Japanese kickboxer), and focuses on attacking telecommunications education providers in Asia, Europe, and North America.
From Kupchik's perspective, education was likely a highly targeted vertical because of the SSH-key harvesting aspect of the botnet.
"I have seen some victim institutes that were in the same country, or very close geographically," he says. “I think that academic collaborations between institutes might yield a higher percentage of shared SSH keys than in other verticals, so maybe that is the reason."
Unique Botnet Features
The malware — which deploys two miners, XMrig and nbhash, has a handful of unique technical features, according to the Akamai researchers. For one, it uses NiceHash for its mining pools and wallets. Because Nicehash is a regular wallet (using certain defined Bitcoin addresses for deposits) and not a blockchain wallet, Akamai was unable to see transaction and mining details to estimate the actual revenue that Panchan has earned.
Further, to hamper traceability, the cryptominers are dropped as memory-mapped files without any disk presence, and the cryptomining can be terminated if any process monitoring is detected.
There's also a "godmode" feature baked into the malware, in the form of an admin panel that can edit the mining configuration — another unique feature of Panchan, according to the firm.
Because the malware uses a basic list of default passwords to spread, Kupchik says one of the key steps security teams can take to stop the malware in its tracks is through password hardening.
"The dictionary that the malware uses to spread is extremely basic, so any non-default password should help thwart it," he explains. “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well."
He adds that Akamai has published indicators of compromise, queries, signatures, and scripts that organizations can use to test for infection.
The report also recommends continuous monitoring of virtual machine resources. Monitoring could alert security teams to suspicious activity since botnets focused on cryptojacking can raise machine resource usage to abnormal levels.
"In the case of Panchan, resource usage monitoring would have also terminated the cryptomining entirely," according to the report.