Linux users need to be watch out of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device’s memory.
The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.
But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai.
Using other people’s hardware to mine cryptocurrency might not be as lucrative as it once was due to the crypto crash currently underway but Panchan’s mining rig costs nothing for the troublemakers who use it.
Panchan is a cryptojacker that was written in the Go programming language. Cryptojackers abuse others’ compute power to mine cryptocurrency.
Panchan’s P2P protocol communicates in plaintext over TCP but can evade monitoring, according to Akamai. The malware features a “godmode” admin panel, protected with a private key, for remotely controlling and distributing mining configurations.
“The admin panel is written in Japanese, which hints at the creator’s geolocation,” notes Akamai’s Steve Kupchik.
“The botnet introduces a unique (and possibly novel) approach to lateral movement by harvesting of SSH keys. Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network.”
Panchan’s authors are apparently fans of the Go programming language, which was created by Google engineers in 2007. Whoever wrote Panchan compiled the malware using Go version 1.18, which Google released in March.
As for the P2P network, Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.
Why is the education more impacted by Panchan?
Akamai guesses this could be because of poor password hygiene, or that the malware moves across network with stolen SSH keys.
“Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization/network. Strengthening that hypothesis, we saw that some of the universities involved were from the same country (e.g.,Spain) and others were from the same region (e.g., Taiwan and Hong Kong),” notes Kupchik.
The malware’s worm features rely on SSH that are acquired by seeking existing SSH keys or trying easy-to-guess or default credentials.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
