Announcement

Collapse
No announcement yet.

Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd

    Phoronix: Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd

    Akamai Security Research today is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March...

    https://www.phoronix.com/scan.php?pa...curity-Panchan

  • #2
    Laughs in non-systemd Linux and *BSD!

    Comment


    • #3
      What I have not understood from the article is if Panchan uses and needs systemd for its startup and management or if it just looks like a systemd module without actually being one by emulating and masquerading by using established naming and service conventions.
      Last edited by reba; 15 June 2022, 11:14 AM.

      Comment


      • #4
        I am not sure how it copies itself under /bin/systemd, that would require admin privileges.

        Unrelated, but if you squint at that map, you can see Akamai considers Crimea, Russian territory (marked with the same shade of orange, different from Ukraine).

        Comment


        • #5
          Originally posted by kylew77 View Post
          Laughs in non-systemd Linux and *BSD!
          Right, 'cause a botnet targeting e.g. runit is impossible… [/s]

          Comment


          • #6
            Originally posted by reba View Post
            What I have not understood from the article is if Panchan uses and needs systemd for its startup and management or if it just looks like a systemd module without actually being one by emulating and masquerading by using established naming and service conventions.
            From the source article:
            The malware copies itself to /bin/systemd-worker and creates a systemd service with the same name. This is probably done to mimic legitimate systemd services to reduce suspicion and avoid investigation.
            So it's not depending on systemd in any way.

            Comment


            • #7
              Originally posted by bug77 View Post
              I am not sure how it copies itself under /bin/systemd, that would require admin privileges.

              Unrelated, but if you squint at that map, you can see Akamai considers Crimea, Russian territory (marked with the same shade of orange, different from Ukraine).
              It runs brute-force attacks and attacks against SSH until it gains root access.

              reba It just names itself to look like a systemd binary or service to try to hide; like a Windows virus naming itself Explorer64.exe so you don't think much of it when you're looking at files.

              Unrelated, but a lot of places do things like that to accommodate the communist countries like Russia and China, like when software rolls out in Taiwan...I mean, Chinese Taipai

              Comment


              • #8
                Originally posted by reba View Post
                What I have not understood from the article is if Panchan uses and needs systemd for its startup and management or if it just looks like a systemd module without actually being one by emulating and masquerading by using established naming and service conventions.
                It doesn't seem to require it. It may be using the .service to launch itself, but that would work exactly the same if living as a /etc/rc.d/SXX_fake_service_name script. The mention of systemd is more clickbait than anything else.
                And, as someone mentioned, it sounds like you already have root compromised if it's able to install itself like that. It would make more sense to just use the systemd user instance instead.

                Comment


                • #9
                  Originally posted by sinepgib View Post

                  It doesn't seem to require it. It may be using the .service to launch itself, but that would work exactly the same if living as a /etc/rc.d/SXX_fake_service_name script. The mention of systemd is more clickbait than anything else.
                  And, as someone mentioned, it sounds like you already have root compromised if it's able to install itself like that. It would make more sense to just use the systemd user instance instead.
                  I just wonder why it needs root at all. Port 1919 is free to use, killing child processes should be okay, monitoring for process names too. Payload could be dropped at ~/.cache or /tmp. Any ideas?

                  Comment


                  • #10
                    Originally posted by reba View Post
                    I just wonder why it needs root at all. Port 1919 is free to use, killing child processes should be okay, monitoring for process names too. Payload could be dropped at ~/.cache or /tmp. Any ideas?
                    Because it writes the fake binary at /bin and the service at /etc/systemd/system, which are (usually) only root writable. It could certainly drop stuff at ~/.cache and IIRC it could simply rewrite the process name to pretend to be at /bin. But maybe I misrecall and that can only be done at exec time?

                    Comment

                    Working...
                    X