Linux users need to be watch out of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory.
The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.
Panchan is a cryptojacker that was written in the Go programming language. Cryptojackers abuse others' compute power to mine cryptocurrency.
Panchan's P2P protocol communicates in plaintext over TCP but can evade monitoring, according to Akamai. The malware features a "godmode" admin panel, protected with a private key, for remotely controlling and distributing mining configurations.
"The admin panel is written in Japanese, which hints at the creator's geolocation," notes Akamai's Steve Kupchik.
"The botnet introduces a unique (and possibly novel) approach to lateral movement by harvesting of SSH keys. Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network."
Panchan's authors are apparently fans of the Go programming language, which was created by Google engineers in 2007. Whoever wrote Panchan compiled the malware using Go version 1.18, which Google released in March.
As for the P2P network, Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.
And why is the education sector more impacted by Panchan? Akamai guesses this could be because of poor password hygiene, or that the malware moves across the network with stolen SSH keys.
"Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization/network. Strengthening that hypothesis, we saw that some of the universities involved were from the same country (e.g.,Spain) and others were from the same region (e.g., Taiwan and Hong Kong)," notes Kupchik.
The malware's worm features rely on SSH that are acquired by seeking existing SSH keys or trying easy-to-guess or default credentials.