A sophisticated and elusive malware known as “Perfctl,” has been discovered targeting millions of Linux servers worldwide.
Researchers at Aqua Nautilus have shed light on this malware, which has been actively exploiting over 20,000 types of misconfigurations in Linux servers over the past 3-4 years.
The Perfctl malware is particularly persistent and employs several advanced techniques to evade detection and maintain control over infected systems.
It uses rootkits to hide its presence, stops all “noisy” activities when a new user logs into the server, and communicates internally using Unix sockets and externally via TOR.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Key Features of Perfctl Malware
- Evasion Techniques: Perfctl deletes its binary after execution and continues to run quietly in the background as a service. It copies itself from memory to various locations on the disk, using deceptive names to blend in with typical system processes.
- Persistence Mechanisms: The malware modifies the
~/.profilescript to ensure it executes upon user login and maintains control over the system by terminating competing malware. - Exploitation: Perfctl attempts to exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.
- Cryptomining: The primary impact of the attack is resource hijacking, with the malware executing a Monero cryptominer (XMRIG) to exhaust the server’s CPU resources.
- Proxy-Jacking: In some cases, the malware is used to execute proxy-jacking software, allowing attackers to earn money by sharing unused internet bandwidth.
To detect Perfctl malware, users should look for unusual spikes in CPU usage, system slowdowns, and suspicious binaries in the /tmp, /usr, and /root directories.
Monitoring network traffic for TOR-based communication and outbound connections to cryptomining pools or proxy-jacking services is also crucial, reads the report.
Mitigation strategies include patching vulnerabilities, restricting file execution in writable directories, disabling unused services, implementing strict privilege management, and deploying runtime protection tools that can detect rootkits and fileless malware.
Given the scale of the attacks, it is estimated that millions of Linux servers could be at risk, with thousands potentially already compromised.
The malware’s ability to target a wide range of misconfigurations makes it a significant threat to any Linux server connected to the internet.
The Perfctl malware represents a significant threat to Linux servers worldwide, emphasizing the need for robust security measures and vigilant monitoring.
Users can protect themselves against this elusive and persistent threat by understanding its tactics and taking proactive steps to secure systems.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar