P2P Botnet PanChan

P2P Botnet PanChan

So in my usual pattern of being curious, I did some more analysis of old malware samples on IDA. First thing that I caught was that it contained a huge (30-25 MB) with a bit chunk of Go Code. This is a bit unusual as most of the malware that I see are Mirai combined with something but this one was a bit unusual. The second was a huge dictionary built-in, along with many SSH keys. While Mirai had mastered the default credential game, this looked a bit different in the utilities as well. To dive further into the details I looked for block structure.

And this time I found somewhat of a really interesting sample. Identifying itself as panchan it contained links to a discord server. It included even an invite code! It also contained an API link to the malware server to basically report as sort of a CnC. (That was my initial assumption).

API - https://discord.com/api/webhooks/954739777134014514/mlkP-UocEi6FOR8dm5nByY5c7hxOaRxDbIxDhdPJ-ieB_dRyGYYvu_MPzYdMvcogCPOf
Join - https://discord.com/invite/32NGMf29nh

Of course I had to check those out, so I started with a bit of security on my end and got this:

API Request

And then browsing the Discord server anonymously to checkout some more. It was indeed a curious thing as it seems to be left behind almost intentionally!

Yep you can directly click on the join code to check it out! Safety recommended though.

I definitely had to scan for something more after this on this server. My observation was that this was created by someone of Japanese origin (or at least used the language) but then people of different origins joined as evident by language on these posts.

English Sample
Russian sample

I also noticed that there are many modified versions of this thing going around. Some have this join link. While others don't. For example check out the images below.

This one contains the full Pan-Chan Signature

But this one then has a slightly reduced size, better obfuscation and also seems to remove a lot of string which can help in tracing origin.

Reduced signature here

It almost seems like someone wanted to see how far this experiment of annoyance will go. One more thing I realized was the malware wants to do much more network exploration than a typical Mirai flow. However, this and admin portal were beyond my skills at the moment. Check out the link below to explore further.

PS: Akamai has already done a huge post on this. Check it out if you want more information.

Subscribe to Prakhar Shukla

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.