Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd
Akamai Security Research today is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March.
Panchan is a Linux botnet that is written in the Go programming language and leverages Golang's concurrency for maximizing its effectiveness of spreading and executing malware modules. Panchan additionally relies on memory-mapped files to avoid detection via on-disk presence while also reportedly stopping its crypto-mining processes when detecting process monitoring. While this botnet performs crypto-mining, there is also a "god mode" baked into this malware as well.
Panchan is also made persistent by copying itself to /bin/systemd-worker and creating a systemd service to try to appear as a legitimate systemd service. Looking for "systemd-worker" is one of the ways to detect the possible presence of this Linux botnet on your system.
Panchan performs SSH dictionary attacks as well as harvesting SSH keys for lateral movement on networks. Akamai security researchers noted its SSH key harvesting technique is rather novel for malware. Most victims of this Linux botnet are located in Asia followed by Europe with particular exploitation of university/education networks.
More details on this Panchan botnet via the Akamai blog.
Panchan is a Linux botnet that is written in the Go programming language and leverages Golang's concurrency for maximizing its effectiveness of spreading and executing malware modules. Panchan additionally relies on memory-mapped files to avoid detection via on-disk presence while also reportedly stopping its crypto-mining processes when detecting process monitoring. While this botnet performs crypto-mining, there is also a "god mode" baked into this malware as well.
Panchan is also made persistent by copying itself to /bin/systemd-worker and creating a systemd service to try to appear as a legitimate systemd service. Looking for "systemd-worker" is one of the ways to detect the possible presence of this Linux botnet on your system.
Akamai believes this Linux botnet may be of Japanese origin.
Panchan performs SSH dictionary attacks as well as harvesting SSH keys for lateral movement on networks. Akamai security researchers noted its SSH key harvesting technique is rather novel for malware. Most victims of this Linux botnet are located in Asia followed by Europe with particular exploitation of university/education networks.
More details on this Panchan botnet via the Akamai blog.
21 Comments