The peer-to-peer Panchan malware spreads throughout educational institutes using Linux servers to mine cryptocurrencies.

Discovered by Akamai researchers in March, the virus spreads using stolen SSH keys and operates its cryptomining malware in devices’ memory. Instead of stealing intellectual property by targeting educational institutes, this malware mines cryptocurrency. The peer-to-peer (P2P) virus reads id_rsa and known_hosts files to collect existing credentials. The malware then uses them to move laterally across the network.

The Panchan cryptojacker is written in the Go programming language. It communicates in plaintext over TCP; however, it can escape monitoring and features a ‘godmode’ admin panel for remotely controlling and distributing mining configurations. The creator of Panchan uses Go version 1.18, which Google released in March. “The admin panel is written in Japanese, which hints at the creator’s geolocation”, stated Steve Kupchik, security professional at Akamai.

Why education?

Educational institutions are clearly targeted. The question is why. Akamai believes it could be due to poor password hygiene and networking. “Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization and network”, he said. “Strengthening that hypothesis, we saw that some of the universities involved were from the same country.”