Cyber security news for all

More

    Perfctl Malware Campaign Strikes Linux Servers for Cryptocurrency Mining and Proxyjacking

    A persistent campaign is currently focused on Linux servers, unleashing a cunning malware known as perfctl, designed primarily for executing cryptocurrency mining operations and facilitating proxyjacking activities.

    According to Aqua security researchers Assaf Morag and Idan Revivo, “Perfctl is particularly elusive and persistent, employing several sophisticated techniques.” In their report shared with The Hacker News, they detail how this malware behaves.

    “When a new user logs into the server, it immediately halts all ‘noisy’ operations, lying dormant until the server returns to an idle state. Following execution, it obliterates its binary while continuing to operate discreetly as a background service.”

    It is noteworthy that certain elements of this campaign were previously unveiled by Cado Security last month, which chronicled a campaign targeting internet-exposed Selenium Grid instances for both cryptocurrency mining and proxyjacking purposes.

    Specifically, the perfctl malware has been discovered exploiting a vulnerability in Polkit (CVE-2021-4043, commonly referred to as PwnKit) to elevate its privileges to root and deploy a miner known as perfcc.

    The nomenclature “perfctl” appears to be a calculated strategy to avoid detection and seamlessly integrate with legitimate system processes, with “perf” denoting a Linux performance monitoring tool and “ctl” representing control in various command-line utilities, such as systemctl, timedatectl, and rabbitmqctl.

    The attack sequence, as recorded by the cloud security firm on its honeypot servers, involves infiltrating Linux servers through a compromised Apache RocketMQ instance to deliver a payload identified as “httpd.”

    Upon execution, the malware replicates itself to a different location within the “/tmp” directory, initiates the new binary, terminates the original process, and eliminates the initial binary in a bid to erase its traces.

    In addition to duplicating itself across various locations and adopting seemingly harmless names, the malware is meticulously crafted to deploy a rootkit for stealth evasion alongside the miner payload. In certain scenarios, it also involves retrieving and executing proxyjacking software from a remote server.

    To mitigate the threats posed by perfctl, it is advisable to maintain updated systems and software, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to restrict access to critical files.

    “To identify perfctl malware, monitor for unusual surges in CPU utilization or system slowdowns if the rootkit has been deployed on your server,” the researchers advised. “Such indicators may suggest cryptocurrency mining activities, particularly during periods of inactivity.”

    Recent Articles

    Related Stories