Hackers’ “Godmode” Spies on Victims
Google’s Panchan open source software has been maliciously coded by Japanese hackers for crypto mining scams. The dark web hackers have created a fileless worm dubbed ‘Panchan botnet’ to terrorize Linux devices running SSH servers.
The recently discovered P2P botnet‘s apparent goal is to illegally mine cryptocurrency on the servers of telecommunications and healthcare companies computers. Cryptocurrencies’ value such as Bitcoin and Ethereum have surprisingly surpassed the mighty US dollar, and have given an exponential rise in malicious cryptocurrency scams. Now, criminal hackers are using crypto mining botnets to constantly carry out hacking assaults on online computer networks.
In mere moments, victims are attacked without having the slightest idea until it’s far too late. This is aided by Panchan’s highly versatile programming language called the Go programming language, or “Golang”. Google engineers create the open source software to support various modern computer systems infrastructure.
Analysts have documented that communication between the botnet and the C2 isn’t encrypted, instead, a TCP port 1919 is used for communication. Thus, the malware’s malicious configuration is used by the hackers for crypto mining, and to reproduce itself on infected hosts. The malware also includes a “godmode” private key feature, which is only accessible by dark web hackers.
The Akamai cyber security team has since modified the program, removing the threat actors’”godmode” feature. However, it was through this security measure that the research analysts discovered the reconfigured admin panel that includes peer stats, miner settings, host status, and update options for the criminal hackers.
Scam Cryptomining Undetectable
In addition, the Akamai analysts reported that Panchan mining pools and wallets use NiceHash, which makes it impossible to trace transactions or provide any estimate of windfall profit from the illegal mining operations. This helps the hackers cunningly avoid recording to the universal cryptocurrency blockchain. However, it was also documented that the malicious botnet utilizes miner binaries, xmrig, and nbhash, which are fileless entities. These are decoded from their base64 form, and executed during memory runtime by avoiding contact with the computer disk.
Akamai’s researchers revealed that the malware features an anti-kill system, which detects and ignores process terminations unless they are SIGKILL an old disabled command. So far, the analysts reported that they have identified over 200 computer systems compromised by Panchan’s malicious worm. But only 40 of the infiltrated Linux network systems are currently still in operation.
It’s reported that the healthcare, education, and telecommunication industry makes up the majority of the hackers’ victims. With a high concentration of clienteles, it fits the threat actors’ criteria to quickly replicate the Panchan botnet to effortlessly facilitate its rapid growth. Additionally, poor password selection, as well as excessive SSH key sharing for global academic research collaborations creates the ideal conditions for the botnet to reproduce at an alarming pace.
To prevent these types of attacks from spreading, according to Akamai, potential targets are recommended to use complex passwords, add MFA to all accounts and limit SSH access, as well as monitor all VM resource activity as much as possible.