Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl<\/em> malware, that over the past 3-4 years targeted misconfigured Linux servers. <\/p>\n\n\n\n
The malicious code was used to drop cryptocurrency miners and proxyjacking software.
Perfctl<\/em> is an elusive and persistent malware targeting Linux servers, it employs rootkits to conceal its presence and halts any “noisy” activities when a new user logs in, lying dormant until the server is idle again. For communication, it uses a Unix socket internally and TOR externally. Upon execution, perfctl<\/em> deletes its binary and operates in the background as a service. <\/p>\n\n\n\n
Despite the malware\u2019s primary goal being to run cryptominers, experts warn that it also executes proxyjacking software. In one sandbox test, a threat actor accessed the malware\u2019s backdoor for reconnaissance purposes. The attackers analyzed the server and deployed utilities to investigate its environment and better understand how their malware was being studied.
Once attackers exploited a vulnerability or misconfiguration, the perfctl<\/em> malware downloads the main payload from an attacker-controlled HTTP server. The payload employs multiple layers to ensure persistence and evade detection. It moves itself to the \/tmp<\/code> directory, renames itself after the process that executed it (e.g., sh<\/em>), and deletes the original binary to cover its tracks. The malware acts as both a dropper and a local command-and-control (C2) process, attempting to exploit the Polkit vulnerability CVE-2021-4043<\/a> (aka PwnKit<\/a>) for root access.<\/p>\n\n\n\n
“As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the\u00a0
\/tmp<\/code>\u00a0directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.”
reads the report<\/a>. “All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the\u00a0
btmp<\/code>\u00a0or\u00a0
utmp<\/code>\u00a0files and terminating any competing malware to maintain control over the infected system.”<\/em>