Researchers at Akamai Technologies Inc. today said they have discovered a new peer-to-peer botnet and SSH worm that has been actively breaching Linux servers.

Dubbed “Panchan,” the botnet and SSH worm was first spotted in March and is written in the Golang programming language. Panchan utilizes built-in concurrency features to maximize spreadability and execute malware modules on targeted systems.

In addition to being able to undertake a “basic” SSH dictionary attack that is commonplace in most worms, Panchan also harvests SSH keys to perform lateral movement. The botnet also features a “god mode,” in which an administration panel is baked directly into the malware. A specific key is required to access the panel, but Akamai’s researchers were able to reverse-engineer it to override that and analyze the infection scope of the malware.

Panchan is designed to attempt to avoid detection and reduce traceability. It does so by dropping crypto miners as memory-mapped files without any disk presence. If Panchan detects any process monitoring, it kills the crypto miner processes.

The primary victims of Panchan so far have been telecommunications companies and the education sector. It’s believed that the sectors are likely targeted as SSH harvesting relies on simple passwords to succeed. With education, the researchers note that different academic institutions may share SSH keys across networks, making them easier to obtain.

Typically with a botnet and related SSH worms such as Panchan, a country such as China, Russia, North Korea or Iran would be the key suspect behind the botnet, but not in this case. Instead, the threat actor is believed to be Japanese based on the malware’s activity and victim geolocation, admin panel language and the threat actor’s Discord user activity.

The researchers do not believe there is an organization behind the malware. Asia tops the list of Panchan targets, leading to the belief that it may be easier for the threat actor to stick to countries close and familiar.

To protect against Panchan, it’s recommended that secure and complex passwords be used, since the malware uses limited default username and password combinations. Multifactor authentication should be used where possible to prevent any unauthorized login attack. Organizations should also monitor their virtual machines for resource activities as botnets like these can raise machine resource usage to abnormal levels.

Image: Tom-b/Wikimedia Commons