• Posted by: Michael Johnson
• October 04, 2024

Ongoing Perfctl Malware Targets Linux Servers for Crypto Mining and Proxyjacking

Misconfigured and vulnerable Linux servers have become the latest target of a stealthy malware campaign delivering a threat dubbed perfctl, primarily aimed at running cryptocurrency miners and proxyjacking software. According to Aqua Security researchers Assaf Morag and Idan Revivo, perfctl is notable for its elusiveness and persistence, leveraging advanced techniques to avoid detection.

"When a new user logs into the server, it immediately stops all 'noisy' activities, lying dormant until the server is idle again," the researchers noted. Once active, the malware deletes its binary and continues running quietly in the background as a service, blending into system processes.

Polkit Exploitation and Fileless Attacks

The campaign exploits a known vulnerability in Polkit (CVE-2021-4043, also known as PwnKit), which allows the malware to escalate privileges to root. From there, it drops a cryptocurrency miner dubbed perfcc. The name "perfctl" is designed to avoid suspicion by mimicking legitimate Linux tools like the performance monitoring utility "perf" and various control tools with the "ctl" suffix.

The malware is particularly tricky to detect due to its fileless nature. The attack begins by breaching Linux servers through a vulnerable Apache RocketMQ instance, delivering a payload named "httpd." After execution, the malware copies itself to a new location in the /tmp directory, terminates the original process, and deletes the initial binary, effectively erasing its tracks.

Cryptocurrency Mining and Proxyjacking

Once deployed, perfctl drops a rootkit to evade detection and also installs a cryptocurrency miner. In some cases, it retrieves proxyjacking software from a remote server to further exploit compromised systems. Proxyjacking allows cybercriminals to hijack a server's resources for routing proxy traffic through it, which can serve a variety of malicious purposes.

The malware's stealth features are enhanced by its ability to stop "noisy" activities, such as mining, when an active user is logged into the system, resuming only when the system is idle. This behavior ensures that the malware can avoid drawing attention to its presence for extended periods.

Mitigation Strategies

To mitigate the risks posed by perfctl, security experts recommend keeping systems and all software up-to-date, enforcing strict file execution policies, and disabling unused services. Additional measures include network segmentation and implementing Role-Based Access Control (RBAC) to restrict access to sensitive files.

"To detect perfctl malware, monitor for unusual spikes in CPU usage or system slowdowns," the researchers advise. These indicators, especially during idle times, may suggest crypto mining activities.

In conclusion, the rise of perfctl malware underscores the growing threat posed by cybercriminals targeting vulnerable Linux servers. By employing sophisticated evasion techniques, these campaigns can silently exploit resources for cryptocurrency mining and proxyjacking, making timely detection and mitigation critical for safeguarding affected systems.