A fileless malware known as “perfctl” has been infecting Linux servers globally in an ongoing campaign, targeting millions of machines with over 20,000 exploits for common misconfigurations and a critical vulnerability in Apache RocketMQ.
Description
This elusive malware, active since at least 2021 [1], engages in cryptomining [2], acts as a proxy for profit, and serves as a backdoor for other malicious activities [1]. Perfctl exploits a security flaw in Polkit to escalate privileges and drop a miner [3], utilizing sophisticated evasion techniques such as rootkits, cloaking mechanisms [1], and persistence methods to avoid detection and removal [1]. It stops all activities when a new user logs in and runs quietly in the background [3], utilizing Tor for communication [2], process masquerading [2], and rootkits to maintain control over infected systems [1]. Efforts to eradicate perfctl have been unsuccessful, as it restarts after each removal attempt. To defend against this threat, it is crucial to patch vulnerabilities, restrict file execution [2] [3], disable unnecessary services [2] [3], enforce strict privilege management [2], implement network segmentation [2] [3], and deploy runtime protection tools [2]. Unusual spikes in CPU usage or system slowdown may indicate crypto mining activities [3]. The malware exploits vulnerabilities to download a payload from an attacker-controlled server [5], copies itself to the ‘/tmp’ directory [5], and changes its name to blend in with legitimate processes [5]. It includes a cryptominer and has been used in proxyjacking [5]. The malware is highly evasive [5], using advanced evasion techniques and stopping ‘noisy’ activities when a new user logs on [5]. Aqua Security researchers recommend setting noexec on writable directories to prevent perfctl binaries from executing [5]. The threat actor behind perfctl is suspected to be financially motivated and uses advanced techniques [5], resembling state-sponsored actors [5]. Visibility is crucial in protecting against such threats [5], as it allows for connecting the dots and understanding the environment [5]. The malware employs rootkits, Unix sockets [1] [4], TOR for communication [2] [4], and attempts to exploit the Polkit vulnerability to escalate privileges [4]. Threat actors have been observed accessing infected servers to deploy additional utilities [4].
Conclusion
The impact of perfctl on Linux servers is significant, with its ability to evade detection and persistently infect systems. Mitigations such as patching vulnerabilities, restricting file execution [2] [3], and implementing strict privilege management are essential to defend against this threat. Future implications include the need for enhanced security measures and vigilance to protect against evolving malware threats.
References
[1] https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/
[2] https://www.darkreading.com/threat-intelligence/perfctl-fileless-malware-targets-millions-linux-servers
[3] https://thehackernews.com/2024/10/new-perfctl-malware-targets-linux.html
[4] https://itnerd.blog/2024/10/03/linux-servers-being-exploited-by-misconfigurations-by-perfctl-malware/
[5] https://www.techtarget.com/searchSecurity/news/366612756/Cryptomining-perfctl-malware-swarms-Linux-machines
