Perfctl Linux Malware Campaign: A Cryptomining Threat
Perfctl is a sophisticated Linux malware that has been actively targeting misconfigured servers, focusing on cryptomining and proxyjacking operations. First identified by Aqua Nautilus researchers, the malware exploits vulnerabilities like CVE-2023-33246 (Apache RocketMQ) and CVE-2021-4034 (PwnKit). Perfctl establishes persistence on compromised servers by blending with legitimate processes, such as Linux system binaries like “sh,” to evade detection.
Infection Chain and Techniques
The attack chain starts with misconfigurations or exposed secrets, such as publicly accessible credentials and vulnerable login interfaces. Perfctl also takes advantage of known vulnerabilities, including Apache RocketMQ and Polkit (PwnKit), to gain initial access or elevate privileges. Upon breaching a target, the malware downloads an obfuscated payload named “httpd” from an attacker-controlled server. Once executed, the payload hides by renaming itself and deleting the original binary.
Perfctl’s persistence mechanisms include copying itself to multiple directories like /tmp
, /root/.config
, /usr/bin
, and /usr/lib
. The malware’s use of system locations and names designed to appear legitimate, such as using “sh” as a process name, further helps it remain undetected. Additionally, Perfctl is capable of dropping a rootkit to evade detection and increase resilience on the infected server.
Cryptocurrency Mining and Proxyjacking
The malware’s primary purpose is cryptomining, particularly using the Monero cryptocurrency. It also engages in proxyjacking, where it leverages the compromised server’s resources to reroute network traffic for malicious purposes. Perfctl’s ability to blend into normal system processes allows it to operate silently in the background, only pausing its activities when the server becomes active.
Mitigation Strategies
Mitigating the risk posed by Perfctl involves several steps, including keeping Linux systems and applications up-to-date, restricting file execution, disabling unused services, and implementing strong access controls through Role-Based Access Control (RBAC) mechanisms. Additionally, monitoring for unusual CPU spikes or system slowdowns during idle periods can help detect cryptomining activities. Network segmentation and firewalling practices should also be enforced to limit unauthorized access.
Conclusion
Perfctl represents a significant threat to Linux servers, particularly those that are misconfigured or unpatched. Its stealthy techniques, combined with its focus on cryptomining and proxyjacking, make it essential for organizations to stay vigilant and enforce robust security practices to mitigate these evolving threats.
Click below and ‘share’ this article!