Linux servers are being targeted by an ongoing campaign that delivers stealthy malware called perfect with the main purpose of launching cryptocurrency miner and hacking software.
“Perfctl is particularly elusive and persistent, using several sophisticated techniques,” Aqua security researchers Assaf Morag and Idan Reviva said in a report shared with The Hacker News.
“When a new user logs into a server, they immediately stop all ‘noisy’ activity, lying dormant until the server is idle again. Once executed, it deletes the binary and continues to run quietly in the background as a service.”
It should be noted that some aspects of the campaign were opened last month, Cado Security, which detailed a campaign that targeted exposed instances of Selenium Grid on the Internet with both cryptocurrency mining software and proxy-jacking.
Specifically, the perfctl malware was found to exploit a security flaw in Polkit (CVE-2021-4043, also known as PwnKit) to elevate privileges to root and delete a miner called perfcc.
The reason for the name “perfctl” appears to be a deliberate attempt to avoid detection and mix with legitimate system processes, as “perf” refers to the Linux performance monitoring tool and “ctl” refers to control in various command line tools such as systemctl, timedatectl and rabbitmqctl.
The chain of attacks observed by the cloud security company against its honeypot servers involves compromising Linux servers by using a vulnerable instance of Apache RocketMQ to deliver a payload called “httpd”.
Once executed, it copies itself to a new location in the “/tmp” directory, runs a new binary, terminates the original process, and deletes the original binary in an attempt to cover its tracks.
In addition to copying itself to other locations and giving itself seemingly innocuous names, the malware is designed to get rid of the rootkit to evade protection and the miner payload. Some cases also involve obtaining and executing the hacking software from a remote server.
To reduce the risk posed by perfctl, it is recommended to keep systems and all software up-to-date, limit file execution, disable unused services, ensure network segmentation, and implement role-based access control (RBAC) to limit access to critical files.
“To detect perfctl malware, you look for unusual spikes in CPU usage or system slowdowns when a rootkit has been deployed on your server,” the researchers said. “This could indicate crypto mining activity, especially during downtime.”
