A new peer-to-peer botnet named Panchan is targeting Linux servers in the education sector to mine cryptocurrency.

Panchan, discovered in the wild in March 2022, has SSH worm functions like dictionary attacks and SSH key abuse to do rapid lateral movement to available machines within the compromised network.

Moreover, it possesses superior detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to cease the mining module instantly.

Akamai analysts spotted the novel threat and analyzed it, deducing that the threat actor behind this new botnet is most probably Japanese.

Panchan was written in Golang, a versatile programming language that simplifies the targeting of different system architectures.

It infects new hosts by locating and using existing SSH keys or brute-forcing usernames and passwords. It then creates a hidden folder where it hides itself under the name “xinetd.”

Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, used likely to monitor the victim.

To establish persistence, the malware copies itself to “/bin/systemd-worker” and builds a new systemd service to launch after reboot while posing as a legitimate system service.

Akamai reverse-engineered the malware to map it and discovered 209 compromised systems, 40 of which are presently active.

Majority of the victims are from the education sector, as it matches Panchan’s spreading methods and expedites its rapid growth.

Poor password hygiene and excessive SSH key sharing to cater to international academic research collaborations are the ideal conditions for the botnet to spread.

To protect one’s network against these types of attacks, Akamai suggests the use of complex passwords, employing MFA on all accounts, limiting SSH access, and consistently monitoring VM resource activity.