A refined and elusive malware known as “Perfctl,” has been found targeting millions of Linux servers worldwide. Investigators at Aqua Nautilus have shed light on this malware, which has been actively using over 20,000 types of misconfigurations in Linux servers over the past 3-4 years.
The Perfctl malware is extremely stubborn and utilizes several advanced strategies to evade detection and maintain authority over infected systems. It uses rootkits to hide its presence, stops all “noisy” activities when a new user logs into the server, and displays internally using Unix sockets and externally via TOR.
Essential Features of Perfctl Malware
- Evasion Strategies: Perfctl deletes its binary after execution and resumes to run quietly in the background as a service. It copies itself from memory to various places on the disk, using deceptive names to blend in with typical system processes.
- Persistence Tools: The malware changes the ~/.profile script to ensure it conducts upon user login and keeps authority over the system by removing competing malware.
- Exploitation: Perfctl tries to manipulate the Polkit vulnerability (CVE-2021-4043) to escalate privileges.
- Cryptomining: The primary effect of the attack is resource hijacking, with the malware managing a Monero cryptominer (XMRIG) to finish the server’s CPU resources.
- Proxy-Jacking: In some circumstances, the malware is utilized to achieve proxy-jacking software, permitting assaulters to earn money by sharing unused internet bandwidth.
To witness Perfctl malware, users should look for unique spikes in CPU usage, system slowdowns, and suspect binaries in the /tmp, /usr, and /root directories. Monitoring network traffic for TOR-based contact and outbound links to cryptomining pools or proxy-jacking services is also essential, reads the news.
Mitigation techniques include patching exposures, limiting file execution in writable directories, disabling unused services, executing strict license management, and deploying runtime security devices that can detect rootkits and fileless malware. Given the scale of the attacks, it is estimated that millions of Linux servers could be at hazard, with thousands potentially already compromised.
The malware’s capability to target a wide spectrum of misconfigurations makes it a significant danger to any Linux server related to the internet. The Perfctl malware represents a considerable hazard to Linux servers worldwide, highlighting the demand for strong safety standards and alert monitoring. Users can safeguard themselves against this elusive and constant peril by comprehending its tactics and handling aggressive steps to guarantee systems.