{"id":24065,"date":"2022-06-16T06:44:14","date_gmt":"2022-06-16T10:44:14","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=24065"},"modified":"2022-06-16T06:44:14","modified_gmt":"2022-06-16T10:44:14","slug":"new-peer-to-peer-botnet-installs-linux-servers-with-cryptominers","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/new-peer-to-peer-botnet-installs-linux-servers-with-cryptominers\/","title":{"rendered":"New Peer-to-Peer Botnet Installs Linux Servers With Cryptominers"},"content":{"rendered":"<p data-ar-index=\"0\"><span style=\"font-weight: 400;\">A new peer-to-peer botnet named Panchan is targeting Linux servers in the education sector to mine cryptocurrency.<\/span><\/p>\n<p data-ar-index=\"2\"><span style=\"font-weight: 400;\">Panchan, discovered in the wild in March 2022, has SSH worm functions like dictionary attacks and SSH key abuse to do rapid lateral movement to available machines within the compromised network.<\/span><\/p>\n<p data-ar-index=\"4\"><span style=\"font-weight: 400;\">Moreover, it possesses superior detection avoidance capabilities, such as using memory-mapped miners and dynamically detecting process monitoring to cease the mining module instatntly.<\/span><\/p>\n<p data-ar-index=\"6\"><span style=\"font-weight: 400;\">Akamai analysts spotted the novel threat and analyzed it, deducing that the threat actor behind this new botnet is most probably Japanese.<\/span><\/p>\n<p data-ar-index=\"8\"><span style=\"font-weight: 400;\">Panchan was written in Golang, a versatile programming language that simplifies the targeting of different system architectures.<\/span><\/p>\n<p data-ar-index=\"10\"><span style=\"font-weight: 400;\">It infects new hosts by locating and using existing SSH keys or brute-forcing usernames and passwords. It then creates a hidden folder where it hides itself under the name &#8220;xinetd.&#8221;<\/span><\/p>\n<p data-ar-index=\"12\"><span style=\"font-weight: 400;\">Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, used likely to monitor the victim.<\/span><\/p>\n<p data-ar-index=\"14\"><span style=\"font-weight: 400;\">To establish persistence, the malware copies itself to &#8220;\/bin\/systemd-worker&#8221; and builds a new systemd service to launch after reboot while posing as a legitimate system service.<\/span><\/p>\n<p data-ar-index=\"16\"><span style=\"font-weight: 400;\">Akamai reverse-engineered the malware to map it and discovered 209 compromised systems, 40 of which are presently active.<\/span><\/p>\n<p data-ar-index=\"18\"><span style=\"font-weight: 400;\">Majority of the victims are from the education sector, as it matches Panchan&#8217;s spreading methods and expedites its rapid growth.<\/span><\/p>\n<p data-ar-index=\"20\"><span style=\"font-weight: 400;\">Poor password hygiene and excessive SSH key sharing to cater to international academic research collaborations are the ideal conditions for the botnet to spread.<\/span><\/p>\n<p data-ar-index=\"22\"><span style=\"font-weight: 400;\">To protect one\u2019s network against these types of attacks, Akamai suggests the use of complex passwords, employing MFA on all accounts, limiting SSH access, and consistently monitoring VM resource activity.<\/span><\/p>\n<p data-ar-index=\"23\">\n<p data-ar-index=\"24\"><span style=\"font-weight: 400;\">For more information, read the original story in Bleepingcomputer.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new peer-to-peer botnet named Panchan is targeting Linux servers in the education sector to mine cryptocurrency. Panchan, discovered in the wild in March 2022, has SSH worm functions like dictionary attacks and SSH key abuse to do rapid lateral movement to available machines within the compromised network. Moreover, it possesses superior detection avoidance capabilities, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[379,361,16],"tags":[],"class_list":["post-24065","post","type-post","status-publish","format-standard","hentry","category-distribution","category-privacy","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24065","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=24065"}],"version-history":[{"count":1,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24065\/revisions"}],"predecessor-version":[{"id":24066,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24065\/revisions\/24066"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=24065"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=24065"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=24065"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}