Threat actors are constantly scanning the internet to try to access vulnerable machines by exploiting vulnerabilities or guessing weak passwords. Soon after a machine goes online, any services that it exposes will be scanned to probe for software vulnerabilities or weak authentication mechanisms. Exploited machines can serve various malicious purposes, such as cryptocurrency mining or being used to launch DDoS attacks. Nozomi Networks Labs deploys a network of honeypots that deliberately host vulnerable machines to observe attackers' behaviors when they are targeted. This strategy enables us to gain insight into what evolving techniques and tools attackers use, as well as analyze emerging malware families.
Recently, our interest was piqued by a malware family caught by our honeypots – the malware replaced the existing SSH server of the machine with one of its own, which is not common behavior. Additionally, it was not a Mirai clone (which is common), but a different Go-based codebase. Our research uncovered that this malware sample belongs to a P2P botnet named Panchan, which was caught and analyzed by Akamai back in 2022. The Panchan botnet remains active in 2024 and the codebase has been evolving to provide new features.
Miner Payloads
Upon execution, Panchan stores a copy of itself to /bin/systemd-worker and additionally establishes a systemd service stored in /lib/systemd/system/systemd-worker.service, ensuring its persistence even after system reboots (see Figure 1). The PID is stored into /tmp/.jpecggmkwmcssjj. Moreover, the system service configurations include LimitNOFILE, controlling the maximum number of files the service can concurrently open, thus preventing resource exhaustion. Similarly, LimitNPROC governs the maximum number of processes the service can create, thereby safeguarding system stability by curtailing excessive resource consumption.
Two additional ELF binaries are embedded in the Panchan sample encoded as base64 strings. XMRig: a CPU/GPU miner which supports the RandomX, KawPow, CryptoNight and GhostRider algorithms, and NBMiner, which is a GPU miner which supports ethash, etchash and others.
Each miner is deployed by decoding the embedded base64-encoded string, using the memfd_create system call to return a file descriptor to an anonymous file stored in memory and then writing the decoded ELF there using /proc/self/fd/ (see Figure 2).
Propagation and Logging
Upon successful entry to a system, Panchan will enumerate all the user home folders and parse the .ssh folders to read the known_hosts file and attempt to login to each host using the private SSH key that is present (see Figure 3). Given that this approach can work recursively, it is an effective way to expand the botnet by performing lateral movement, assuming that the initial host has accessed other machines over SSH and that the private key is not password-protected.
In addition to spreading via SSH, the sample also scans random IPs from the public IPv4 space and attempts to login via SSH using hardcoded username and password combinations (see Figure 4).
Panchan uses the Discord webhook API to communicate information back to its operator. For example, the text わあわあ is sent to Discord with a POST request from newly infected machines once the malware begins executing. The same webhook is also used to periodically report back the machine’s external IP address from the main_healthchecker function. Successful attempts to propagate via SSH are also reported back from main_sshtry.
Self-protection
Panchan employs a variety of techniques to reduce its detection by system administrators and safeguard itself from other malicious software. Of particular interest is its replacement of the existing SSH server on a system, while retaining the original SSH host key. This ensures that users connecting to the system do not encounter the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! prompt. Moreover, the new SSH server, based on the crypto/ssh Go library, mandates users to input a specific string post-authentication to validate their human identity (see Figure 5). This measure may prevent other bots constantly scanning the internet from infiltrating Panchan-infected machines, even if they successfully acquire the correct credentials to access a system, as they won’t handle the prompt ifthey are unaware of it.
Panchan employs an additional tactic by checking for process names associated with process monitoring tools such as top or htop, and subsequently terminating any mining-related processes. This proactive measure aims to evade detection by system administrators actively inspecting running process lists, thereby concealing the presence of mining software (see Figure 6).
As is common for a lot of Unix-based malware, Panchan sets up signal handlers using signal.Notify to catch certain signals and prevent them from killing the process (see Figure 7). SIGTERM for example will be caught and won’t be sufficient to kill the malicious process. A signal like SIGKILL, which cannot be caught has to be used instead to kill the process.
P2P
Panchan employs a P2P protocol, facilitating the exchange of peers among infected hosts. Compromised systems act as servers for this functionality, accessible on port 1919. Upon connection, users encounter a banner alongside a randomly selected set of Panchan peers known to the system, if available (refer to Figure 8).
The P2P protocol supports the following commands:
- sharepeer [ip]: Used to exchange infected peers between hosts. Using this command, an infected machine can learn about other infected machines that it may be unaware of at the time. Once such command is received, Panchan will attempt to connect to port 1919 of the given IP address.
- sharerigconfig [config]: Used to exchange configurations for the mining software. The configuration is sent as base64-encoded JSON. The mining configuration (see Figure 9) is signed to ensure that it originates from the botnet’s operator, so a signature field with a RSA PKCS #1 v1.5 signature is verified using the VerifyPKCS1v15 function of the crypto/rsa Go library and an embedded public key.
- shareupdateinfo [info]: Used to exchange information used to update the dropper. The information is sent as base64-encoded JSON and also signed just like sharerigconfig to confirm the origin of the download URL and other information sent by the peer (see Figure 10).
While older versions of Panchan exposed an admin panel when provided with the godmode argument, this is no longer present in the version of the sample that we analyzed. Given that the update and mining configurations are signed and verified, and any peer can send them, it is likely that this code was taken out and implemented separately.
Infection Metrics
Devices infected with the Panchan malware family can be identified by searching for SSH servers displaying the Go banner on platforms like Shodan. While not all servers with this banner are legitimate Panchan infections, Panchan-infected systems expose a service on port 1919 for the P2P functionality. Clients connecting to this service receive a Panchan banner along with a random selection of other P2P nodes. Using an initial dataset of Go-based SSH servers, ruling out those that do not run a service on port 1919 with the expected Panchan banner and by querying infected nodes it is possible to accurately compute the botnet’s size. At the time of writing, this was the geographical distribution of infections.
Conclusion
Through the deployment of these decoy systems, we gain valuable insights into the tactics, tools, and behaviors of malicious actors in real-world scenarios. This firsthand knowledge not only helps us understand the intricacies of new malware but also enables us to develop more effective countermeasures to safeguard against future attacks. By continually monitoring and adapting to the evolving threat landscape, we can stay one step ahead in the ongoing battle to secure our digital infrastructure and protect against cyber threats.
IoC
Panchan: 94f2e4d8d4436874785cd14e6e6d403507b8750852f7f2040352069a75da4c00
Embedded XMRig: 6f445252494a0908ab51d526e09134cebc33a199384771acd58c4a87f1ffc063
Embedded NBMiner: a819b4a95f386ae3bd8f0edc64e8e10fae0c21c9ae713b73dfc64033e5a845a1
PID: /tmp/.jpecggmkwmcssjj
Persistence: /lib/systemd/system/systemd-worker.service