So in my usual pattern of being curious, I did some more analysis of old malware samples on IDA. First thing that I caught was that it contained a huge (30-25 MB) with a bit chunk of Go Code. This is a bit unusual as most of the malware that I see are Mirai combined with something but this one was a bit unusual. The second was a huge dictionary built-in, along with many SSH keys. While Mirai had mastered the default credential game, this looked a bit different in the utilities as well. To dive further into the details I looked for block structure.
And this time I found somewhat of a really interesting sample. Identifying itself as
panchan it contained links to a discord server. It included even an invite code! It also contained an API link to the malware server to basically report as sort of a CnC. (That was my initial assumption).
API - https://discord.com/api/webhooks/954739777134014514/mlkP-UocEi6FOR8dm5nByY5c7hxOaRxDbIxDhdPJ-ieB_dRyGYYvu_MPzYdMvcogCPOf
Join - https://discord.com/invite/32NGMf29nh
Of course I had to check those out, so I started with a bit of security on my end and got this:
And then browsing the Discord server anonymously to checkout some more. It was indeed a curious thing as it seems to be left behind almost intentionally!
I definitely had to scan for something more after this on this server. My observation was that this was created by someone of Japanese origin (or at least used the language) but then people of different origins joined as evident by language on these posts.
I also noticed that there are many modified versions of this thing going around. Some have this join link. While others don't. For example check out the images below.
But this one then has a slightly reduced size, better obfuscation and also seems to remove a lot of string which can help in tracing origin.
It almost seems like someone wanted to see how far this experiment of annoyance will go. One more thing I realized was the malware wants to do much more network exploration than a typical Mirai flow. However, this and admin portal were beyond my skills at the moment. Check out the link below to explore further.
PS: Akamai has already done a huge post on this. Check it out if you want more information.