New Panchan botnet infects Linux servers with miners

Computer security experts at Akamai reported the discovery of a new botnet that attacks vulnerable SSH servers and distributes mining malware.

In his report Analysts write that the new botnet has signs of an SSH worm – it infects computers via an SSH connection, where it guesses a password using a dictionary and a key substitution technique. After gaining access, the virus places cryptocurrency miners, and tries to hide its activities as much as possible, for example, it uses process monitoring and, in case of danger, disables the mining module.

The botnet was discovered “in the wild” in March 2022. It is written in the Golang programming language. It is a flexible enough language that makes it easier to infect different computer architectures and Linux distributions.

After gaining access to the server via SSH, the virus creates a hidden folder and places itself there under the name “xinetd.”. It then contacts a dedicated Discord server via an HTTPS POST request. This is done to track the infection by the hackers who produced the malware. The virus then copies itself as “/bin/system-worker” and registers itself as a new systemd service to be added to the list of startup programs.

Interestingly, the communication between the botnet and the control center is not encrypted and passes through TCP port 1919. The virus receives the miner’s configuration and other settings through this port. For mining, NiceHash software is used, so Akamai specialists were unable to assess the transactions and the scale of the botnet.

Most of the infected networks belong to educational institutions located in the United States. At the same time, judging by certain signs, the botnet comes from Japan.

Recently, Microsoft spoke about viruses and Cryware hacking methods that allow you to steal assets from hot crypto wallets.