Latest Perfctl Malware Aims at Linux Servers for Mining Cryptocurrency and Proxyjacking
Linux servers have become the target of an ongoing initiative that introduces a covert malware known as perfctl, with the main objective of operating a cryptocurrency miner and proxyjacking software.
The Aqua security researchers Assaf Morag and Idan Revivo highlighted in a report shared with The Hacker News that “Perfctl employs various advanced techniques to maintain its elusive and persistent nature.”
“Upon a new user login to the server, it ceases all ‘noisy’ operations, remaining dormant until the server is back to an idle state. Subsequently, it erases its binary after execution and silently operates in the background as a service,” the researchers added.
It was previously disclosed last month by Cado Security that certain elements of the campaign were already exposed, detailing an assault on internet-exposed Selenium Grid instances using both cryptocurrency mining and proxyjacking software.
More specifically, the perfctl malware capitalizes on a vulnerability in Polkit (CVE-2021-4043, also known as PwnKit) to elevate privileges to root and deploy a miner named perfcc.
The choice of the name “perfctl” is believed to be a deliberate attempt to avoid detection by blending in with genuine system processes. This is because “perf” is associated with a Linux performance monitoring tool, while “ctl” denotes control in various command-line tools like systemctl, timedatectl, and rabbitmqctl.
Based on the analysis by the cloud security firm of its honeypot servers, the attack sequence involves breaching Linux servers by exploiting a vulnerable Apache RocketMQ instance to deliver a payload labeled “httpd.”
Upon activation, the malware copies itself to a new location within the “/tmp” directory, launches the new binary, shuts down the original process, and erases the initial binary to conceal its actions.
In addition to replicating itself in different locations and adopting seemingly harmless names, the malware is designed to introduce a rootkit for evading detection and the miner payload. In some scenarios, it also includes downloading and executing proxyjacking software from a distant server.
To minimize the threats posed by perfctl, it is advised to maintain systems and all software components updated, restrict file execution, deactivate unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to restrict access to crucial files.
“In order to identify the presence of the perfctl malware, vigilance for abnormal spikes in CPU usage or system lag if the rootkit is deployed on your server is crucial,” stated the researchers. “These signs may indicate cryptocurrency mining activities, especially during idle periods.”
About Author
