Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd

Written by Michael Larabel in Linux Security on 15 June 2022 at 09:22 AM EDT. 21 Comments
LINUX SECURITY
Akamai Security Research today is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March.

Panchan is a Linux botnet that is written in the Go programming language and leverages Golang's concurrency for maximizing its effectiveness of spreading and executing malware modules. Panchan additionally relies on memory-mapped files to avoid detection via on-disk presence while also reportedly stopping its crypto-mining processes when detecting process monitoring. While this botnet performs crypto-mining, there is also a "god mode" baked into this malware as well.

Panchan is also made persistent by copying itself to /bin/systemd-worker and creating a systemd service to try to appear as a legitimate systemd service. Looking for "systemd-worker" is one of the ways to detect the possible presence of this Linux botnet on your system.


Akamai believes this Linux botnet may be of Japanese origin.


Panchan performs SSH dictionary attacks as well as harvesting SSH keys for lateral movement on networks. Akamai security researchers noted its SSH key harvesting technique is rather novel for malware. Most victims of this Linux botnet are located in Asia followed by Europe with particular exploitation of university/education networks.

More details on this Panchan botnet via the Akamai blog.
21 Comments
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"