Panchan: New Golang-based peer-to-peer Botnet attacks Linux servers


According to a report by the Akamai security research team, Panchan exploits parallelism in the victim’s system, trying to spread quickly and execute as many malicious modules as possible. The malware also collects SSH keys for lateral movement. The botnet conducts dictionary attacks and quickly captures systems using a list of standard SSH passwords.

Akamai Security Research noted that it first noticed Panchan activity on March 19, 2022. Experts attributed the attacks using the malware to Japanese hackers and stated that it was written in Golang and embedded in a binary file. According to experts, Panchan works as a cryptojacker using the victim’s devices to mine cryptocurrencies.

Panchan deploys XMRig and nbhash miners in victim systems. In order to remain unnoticed, the malware terminates the processes of cryptominers if the user is monitoring the processes. In addition, Panchan does not leave any traces on the disk, as it launches miners in the form of files tied to memory.

Of the 209 infected nodes, 40 are currently active. Most of the infected nodes are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1) and Oceania (1).

An interesting clue about the origin of Panchan was a blunder on the part of the attackers, who revealed a link to their Discord server. “The main chat was empty, there was only a March greeting from one of the server users,” Akamai experts say. “Most likely, other chats are available to users with special privileges on the server.”

Start a discussion …