Panchan Peer-To-Peer Botnet Discovered By Researchers

Akamai security researchers have released discovery on Panchan, a new peer-to-peer botnet and SSH worm that emerged in March and has been actively breaching Linux servers since. Panchan, written in Golang, utilizes its built-in concurrency features to maximize spreadability and execute malware modules. The malware also harvests SSH keys to perform lateral movement. That feature is pretty novel. You can read the full report on this botnet here. But Rob Shaughnessy, VP, Federal for GRIMM had this to say:

“Technologically, the recently disclosed Panchan botnet one has one potentially novel feature: harvesting SSH keys locally to facilitate lateral movement in the victim network. This method can increase lateral movement speed and help the botnet spread across connected organizations. The innovative use of harvested credentials helps explain why current victims of Panchan are mainly education institutions and show fairly significant geographic clustering. Research and educational institutions have traditionally favored collaboration and openness over strict security more than industry. Although botnets such as Panchan can be used for many functions, including highly malicious ones, Panchan is currently used for cryptocurrency mining. Using botnets is a way to effectively reduce or remove the most costly part of any cryptomining organization, providing an essentially free cloud computing infrastructure. With the recent collapse of cryptocurrency value globally, we will likely see increased utilization of botnets and similar malware for this purpose. For cyber defenders, this will substantially increase the network noise level and provide additional opportunities for more malicious code to insert itself using lower risk events, like Panchan, as cover.”

Clearly this botnet has a bunch of tricks up its sleeve. Which means that sysadmins and security professionals need to be on the look out for it as it is likely to pop up in a lot of places.

Leave a Reply

%d bloggers like this: