Linux servers are the goal of an ongoing marketing campaign that delivers a stealthy malware dubbed perfctl with the first goal of working a cryptocurrency miner and proxyjacking software program.
“Perfctl is particularly elusive and persistent, employing several sophisticated techniques,” Aqua safety researchers Assaf Morag and Idan Revivo stated in a report shared with The Hacker Information.
“When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.”
It is price noting that some facets of the marketing campaign had been disclosed final month by Cado Safety, which detailed a marketing campaign that targets internet-exposed Selenium Grid cases with each cryptocurrency mining and proxyjacking software program.
Particularly, the perfctl malware has been discovered to take advantage of a safety flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner referred to as perfcc.
The explanation behind the title “perfctl” seems to be a deliberate effort to evade detection and mix in reputable system processes, as “perf” refers to a Linux efficiency monitoring instrument and “ctl” signifies management in numerous command-line instruments, comparable to systemctl, timedatectl, and rabbitmqctl.
The assault chain, as noticed by the cloud safety agency in opposition to its honeypot servers, includes breaching Linux servers by exploiting a weak Apache RocketMQ occasion to ship a payload named “httpd.”
As soon as executed, it copies itself to a brand new location within the “/tmp” listing, runs the brand new binary, terminates the unique course of, and deletes the preliminary binary in an try and cowl its tracks.
Apart from copying itself to different places and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for protection evasion and the miner payload. Some cases additionally entail the retrieval and execution of proxyjacking software program from a distant server.
To mitigate the chance posed by perfctl, it is really useful to maintain methods and all software program up-to-date, prohibit file execution, disable unused providers, implement community segmentation, and implement Function-Based mostly Entry Management (RBAC) to restrict entry to important information.
“To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers stated. “These may indicate crypto mining activities, especially during idle times.”
