Misconfigured and vulnerable Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software.
“Perfctl is particularly elusive and persistent, employing several sophisticated techniques,” Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News.
“When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.”
It’s worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed an activity cluster that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.
Specifically, the fileless perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc.
The reason behind the name “perfctl” appears to be a deliberate effort to evade detection and blend in with legitimate system processes, as “perf” refers to a Linux performance monitoring tool and “ctl” is a commonly used suffix that signifies control in various command-line tools, such as systemctl, timedatectl, and rabbitmqctl.
The attack chain, as observed by the cloud security firm against its honeypot servers, involves breaching Linux servers by exploiting a vulnerable Apache RocketMQ instance to deliver a payload named “httpd.”
Once executed, it copies itself to a new location in the “/tmp” directory, runs the new binary, terminates the original process, and deletes the initial binary in an attempt to cover its tracks.
Besides copying itself to other locations and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for defense evasion and the miner payload. Some instances also entail the retrieval and execution of proxyjacking software from a remote server.
To mitigate the risk posed by perfctl, it’s recommended to keep systems and all software up-to-date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files.
“To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”