Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd

Written by Michael Larabel in Linux Security on 15 June 2022 at 09:22 AM EDT. 21 Comments
Akamai Security Research today is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March.

Panchan is a Linux botnet that is written in the Go programming language and leverages Golang's concurrency for maximizing its effectiveness of spreading and executing malware modules. Panchan additionally relies on memory-mapped files to avoid detection via on-disk presence while also reportedly stopping its crypto-mining processes when detecting process monitoring. While this botnet performs crypto-mining, there is also a "god mode" baked into this malware as well.

Panchan is also made persistent by copying itself to /bin/systemd-worker and creating a systemd service to try to appear as a legitimate systemd service. Looking for "systemd-worker" is one of the ways to detect the possible presence of this Linux botnet on your system.

Akamai believes this Linux botnet may be of Japanese origin.

Panchan performs SSH dictionary attacks as well as harvesting SSH keys for lateral movement on networks. Akamai security researchers noted its SSH key harvesting technique is rather novel for malware. Most victims of this Linux botnet are located in Asia followed by Europe with particular exploitation of university/education networks.

More details on this Panchan botnet via the Akamai blog.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week