[Source – thehackernews.com]
Linux servers are the latest target of a sophisticated malware campaign involving a stealthy malware known as “perfctl.” The primary goal of this malware is to covertly run cryptocurrency mining operations and proxyjacking software. The malware employs advanced techniques to remain undetected and persist on compromised systems.
Perfctl: A Sophisticated and Elusive Malware
According to researchers from Aqua Security, Assaf Morag, and Idan Revivo, perfctl is particularly elusive, utilizing a range of sophisticated methods to remain active while avoiding detection. In a report shared with The Hacker News, the researchers explained that perfctl stops all “noisy” activities whenever a new user logs into the compromised server. This stealthy approach allows it to lie dormant until the system becomes idle again, minimizing the risk of being noticed by administrators.
After it executes, perfctl deletes its own binary file, making it harder for security teams to trace its presence. The malware continues to run in the background as a service, quietly carrying out its malicious activities. Some parts of this campaign were previously revealed by Cado Security, which identified perfctl as part of a larger operation targeting internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.
Exploiting Vulnerabilities to Gain Control
Perfctl leverages a well-known security vulnerability in Polkit (CVE-2021-4043), commonly referred to as PwnKit, to escalate privileges and gain root access on affected servers. Once it has elevated privileges, the malware drops a cryptocurrency miner called “perfcc.” The name “perfctl” appears to be a deliberate attempt to mimic legitimate system processes, blending into the system by using names that resemble Linux performance monitoring tools, such as “perf” and “ctl,” which stand for “control” in various command-line tools.
The attack method observed by Aqua Security’s honeypot servers involves breaching Linux servers by exploiting a vulnerable instance of Apache RocketMQ. This allows the attackers to deliver a malicious payload named “httpd.” After the malware is executed, it copies itself into a new location within the “/tmp” directory, runs the newly created binary, terminates the original process, and deletes the initial binary to erase evidence of the attack. This method allows the attackers to conceal their tracks while continuing to operate on the infected system.
Recommendations to Mitigate the Threat
In addition to copying itself to other directories and adopting seemingly harmless names, perfctl also deploys a rootkit to evade detection by traditional security measures. Some versions of the malware also download and execute proxyjacking software from remote servers, further complicating the attack.
To mitigate the risks posed by this ongoing campaign, security experts recommend several steps. Keeping all systems and software up-to-date is crucial, as is restricting file execution and disabling any services that are not actively in use. Enforcing network segmentation and implementing Role-Based Access Control (RBAC) can further limit access to critical system files, reducing the attack surface for potential intruders.
Aqua Security researchers also advised administrators to monitor their servers for unusual activity, such as spikes in CPU usage or system slowdowns, which may indicate the presence of the perfctl malware. These signs are especially important to watch for during periods of low system activity, as they may reveal crypto mining operations being carried out in the background.
The discovery of perfctl highlights the increasing complexity and stealthiness of malware targeting Linux servers, emphasizing the need for robust security practices and proactive monitoring to defend against these evolving threats.
