Perfctl, a stealthy malware, is actively targeting millions of Linux servers worldwide. Discovered by Aqua Nautilus researchers, it exploits over 20,000 different server misconfigurations.
This campaign has been ongoing for 3 to 4 years, allowing attackers to compromise vulnerable systems and potentially gain control over them.
Perfctl is highly persistent, using rootkits to stay hidden, halting “noisy” actions when users log in, and communicating through Unix sockets and TOR for stealth.
Key Features of Perfctl Malware:
- Evasion: Deletes its binary after execution, runs as a hidden service, and mimics legitimate system processes.
- Persistence: Modifies the
~/.profilescript for execution on login and removes competing malware. - Exploitation: Exploits the Polkit vulnerability (CVE-2021-4043) to escalate privileges.
- Cryptomining: Deploys Monero cryptominer (XMRIG), draining CPU resources.
- Proxy-Jacking: Uses proxy-jacking software to profit from unused internet bandwidth.
To detect Perfctl malware, check for unexpected CPU spikes, system slowdowns, and suspicious files in /tmp, /usr, and /root directories. Also, monitor network traffic for TOR communication and connections to cryptomining or proxy-jacking services, according to the report.
Mitigation
- Patch vulnerabilities regularly.
- Restrict file execution in writable directories.
- Disable unused services.
- Implement strict privilege management.
- Deploy runtime protection tools to detect rootkits and fileless malware.
Given the widespread attacks, millions of Linux servers could be at risk, with thousands potentially compromised. Perfctl targets various misconfigurations, posing a significant threat to any internet-connected Linux server.
To defend against this threat, users should adopt robust security measures and stay vigilant in monitoring their systems.
Leave A Comment