Researchers from Nozomi Networks Labs have detailed a unique malware family detected by their honeypots that replaces the existing SSH server on the infected machine with its version, an uncommon behavior. Unlike the typical Mirai clones, the malware utilizes a distinct Go-based codebase. Further research revealed that this malware sample is part of a P2P botnet named Panchan, which was initially identified and analyzed by Akamai in 2022. The Panchan botnet continues to be active in 2024, with its codebase evolving to incorporate new features.
“Upon execution, Panchan stores a copy of itself to /bin/systemd-worker and additionally establishes a ‘systemd’ service stored in /lib/systemd/system/systemd-worker[dot]service, ensuring its persistence even after system reboots,” the researchers outlined in their latest blog post. “The PID is stored into /tmp/[dot]jpecggmkwmcssjj. Moreover, the system service configurations include LimitNOFILE, controlling the maximum number of files the service can concurrently open, thus preventing resource exhaustion. Similarly, LimitNPROC governs the maximum number of processes the service can create, thereby safeguarding system stability by curtailing excessive resource consumption.”
They added that two additional ELF binaries are embedded in the Panchan sample encoded as base64 strings. XMRig: a CPU/GPU miner which supports the RandomX, KawPow, CryptoNight, and GhostRider algorithms, and NBMiner, which is a GPU miner which supports ethash, etchash, and others.
Additionally, each miner is deployed by decoding the embedded base64-encoded string, using the memfd_create system call to return a file descriptor to an anonymous file stored in memory and then writing the decoded ELF there.
Currently, researchers have observed the geographical distribution of infections by continent with one instance in Africa, 14 cases in South/North America, 45 instances in Asia, and 37 cases in Europe.
Nozomi identified that devices infected with the Panchan malware family can be identified by searching for SSH servers displaying the Go banner on platforms like Shodan. “While not all servers with this banner are legitimate Panchan infections, Panchan-infected systems expose a service on port 1919 for the P2P functionality. Clients connecting to this service receive a Panchan banner along with a random selection of other P2P nodes. Using an initial dataset of Go-based SSH servers, ruling out those that do not run a service on port 1919 with the expected Panchan banner and by querying infected nodes it is possible to accurately compute the botnet’s size.”
Panchan employs a P2P protocol, facilitating the exchange of peers among infected hosts. Compromised systems act as servers for this functionality, accessible on port 1919. Upon connection, users encounter a banner alongside a randomly selected set of Panchan peers known to the system, if available.
The P2P protocol supports the sharepeer [ip] command that is used to exchange infected peers between hosts. Using this command, an infected machine can learn about other infected machines that it may be unaware of at the time. Once such a command is received, Panchan will attempt to connect to port 1919 of the given IP address.
It also supports sharerigconfig [config] command used to exchange configurations for the mining software. The configuration is sent as base64-encoded JSON. The mining configuration is signed to ensure that it originates from the botnet’s operator, so a signature field with an RSA PKCS #1 v1.5 signature is verified using the VerifyPKCS1v15 function of the crypto/rsa Go library and an embedded public key.
Thirdly, the P2P protocol supports shareupdateinfo [info] command used to exchange information used to update the dropper. The information is sent as base64-encoded JSON and also signed just like sharerigconfig to confirm the origin of the download URL and other information sent by the peer.
“While older versions of Panchan exposed an admin panel when provided with the godmode argument, this is no longer present in the version of the sample that we analyzed,” Nozomi said. “Given that the update and mining configurations are signed and verified, and any peer can send them, it is likely that this code was taken out and implemented separately.”
In its conclusion, the Nozomi researchers said that through the deployment of these decoy systems, “we gain valuable insights into the tactics, tools, and behaviors of malicious actors in real-world scenarios. This firsthand knowledge not only helps us understand the intricacies of new malware but also enables us to develop more effective countermeasures to safeguard against future attacks.”
They added that by continually monitoring and adapting to the evolving threat landscape, “we can stay one step ahead in the ongoing battle to secure our digital infrastructure and protect against cyber threats.”
Earlier this month, Nozomi reported assessing the OT/IoT threat landscape by analyzing the latest ICS CVEs published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside data from anonymized customer telemetry and IoT botnet attacks on its global honeypots. The report details the most recent vulnerabilities, attacks, and indicators of OT/IoT events observed and reported in the wild. Concurrently, it notes a shift in nation-state threats from espionage to more destructive objectives, as demonstrated by the Volt Typhoon group.
link