Jump to content
  • This Linux botnet has found a novel way of spreading to new devices

    aum

    • 501 views
    • 3 minutes
     Share


    • 501 views
    • 3 minutes

    Panchan malware is spreading across networks via Linux servers to mine cryptocurrency.

     

    Linux users need to be watch out of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory.


    The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.


    But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai.


    Using other people's hardware to mine cryptocurrency might not be as lucrative as it once was due to the crypto crash currently underway but Panchan's mining rig costs nothing for the troublemakers who use it.


    Panchan is a cryptojacker that was written in the Go programming language. Cryptojackers abuse others' compute power to mine cryptocurrency.


    Panchan's P2P protocol communicates in plaintext over TCP but can evade monitoring, according to Akamai. The malware features a "godmode" admin panel, protected with a private key, for remotely controlling and distributing mining configurations.


    "The admin panel is written in Japanese, which hints at the creator's geolocation," notes Akamai's Steve Kupchik.


    "The botnet introduces a unique (and possibly novel) approach to lateral movement by harvesting of SSH keys. Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network."


    Panchan's authors are apparently fans of the Go programming language, which was created by Google engineers in 2007. Whoever wrote Panchan compiled the malware using Go version 1.18, which Google released in March.


    As for the P2P network, Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.


    Why is the education more impacted by Panchan?


    Akamai guesses this could be because of poor password hygiene, or that the malware moves across network with stolen SSH keys.


    "Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization/network. Strengthening that hypothesis, we saw that some of the universities involved were from the same country (e.g.,Spain) and others were from the same region (e.g., Taiwan and Hong Kong)," notes Kupchik.


    The malware's worm features rely on SSH that are acquired by seeking existing SSH keys or trying easy-to-guess or default credentials.


    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...