Researchers warn of a new worm that's infecting Linux servers by brute-forcing and stealing SSH credentials. The hijacked servers are joined in a botnet and are used to mine cryptocurrency by loading mining programs directly in memory with no files on disk.
Dubbed Panchan by researchers from Akamai, the malware is written in the Go programming language, which allows it to be platform independent. It first appeared in late March and has infected servers in all regions of the world since then, though Asia does seem to have a bigger concentration. The most impacted vertical seems to be education.
"This might be due to poor password hygiene, or it could be related to the malware’s unique lateral movement capability with stolen SSH keys," the Akamai team said in a blog post.
"Researchers in different academic institutions might collaborate more frequently, and require credentials to authenticate to machines that are outside of their organisation / network, than employees in the business sector. To strengthen that hypothesis, we saw that some of the universities involved were from the same country — Spain, or others from the same region, like Taiwan and Hong Kong."
SSH infections and peer-to-peer communications
The malware has worm capabilities, meaning it can automatically jump from machine to machine. It achieves this in two ways: by launching a dictionary-based brute-force attack against SSH remote access services to try to guess username/password combinations, and by stealing authorised SSH keys that already exist on infected machines.
"The malware looks under the running user HOME directory for ssh configuration and keys," the researchers said. "It reads the private key under ~HOME/.ssh/id_rsaand uses it to attempt to authenticate to any IP address found under ~HOME/.ssh/known_hosts. This is a novel credential harvesting method we haven’t seen used in other malware."
Once it gains access to a new machine, the malware creates a folder with a random name under the root directory and copies itself inside with the file name xinetd.
The malware is then executed along with a list of peers. This establishes a communication channel between different infected machines allowing them to relay commands and configurations to each other. The communication channel uses TCP port 1919 which the malware opens in the firewall by using iptables commands.
One interesting feature, likely influenced by its peer-to-peer command and control topology, is that the malicious binary has a command panel built in, as opposed to such a panel being hosted on a command-and-control server. Accessing this panel remotely can be done by sending the command "godmode" to the malware and then supplying the correct private key for authentication.
The admin panel has three major options: refreshing the status screen, displaying the peers list, and updating the cryptominer configuration. The panel displays text in Japanese, suggesting the malware's creators are Japanese speakers.
Cryptomining is the botnet’s purpose
The main purpose of the botnet at this time seems to be cryptomining, though this can be expanded later. The malware deploys the xmrig and nbhash miners but does so by using the memfd_create function to create files mapped and executed directly in memory without writing them to disk. This likely is intended to avoid detection as both xmrig and nbhash are well-known cryptomining programs that most security programs will issue alerts for.
This is further supported by the fact that the malware has an anti-monitoring module called antitaskmanager that continuously looks for the processes top and htop and terminates the mining processes if it sees them. Top and htop are Linux utilities used to monitor active processes and their resource usage.
The malware also has an anti-kill mechanism that catches Linux SIGTERM and SIGINT termination signals and for its own process and ignores them. However, the researchers point out that it doesn't prevent SIGKILL which can be used to kill its process.
The Akamai researchers have created a repository with indicators of compromise for this malware as well as YARA and Snort detection signatures. They also recommend that organisations set strong SSH passwords, use multi-factor authentication solutions, segment their networks, allow SSH connections only from known hosts, and monitor their VMs for unusual resource activity as cryptiomining malware will generate high resource consumption.