{"id":169351,"date":"2024-10-04T12:49:39","date_gmt":"2024-10-04T12:49:39","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=169351"},"modified":"2024-10-04T12:49:40","modified_gmt":"2024-10-04T12:49:40","slug":"perfctl-malware-targets-misconfigured-linux-servers","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/169351\/malware\/perfctl-malware-targets-misconfigured-linux-servers.html","title":{"rendered":"New Perfctl Malware targets Linux servers in cryptomining campaign"},"content":{"rendered":"
<\/div>\n

perfctl<\/em> malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign.<\/h2>\n\n\n\n

Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl<\/em> malware, that over the past 3-4 years targeted misconfigured Linux servers. <\/p>\n\n\n\n

The malicious code was used to drop cryptocurrency miners and proxyjacking software.<\/gwmw><\/p>\n\n\n\n

Perfctl<\/em> is an elusive and persistent malware targeting Linux servers, it employs rootkits to conceal its presence and halts any “noisy” activities when a new user logs in, lying dormant until the server is idle again. For communication, it uses a Unix socket internally and TOR externally. Upon execution, perfctl<\/em> deletes its binary and operates in the background as a service. <\/p>\n\n\n\n

Despite the malware\u2019s primary goal being to run cryptominers, experts warn that it also executes proxyjacking software. In one sandbox test, a threat actor accessed the malware\u2019s backdoor for reconnaissance purposes. The attackers analyzed the server and deployed utilities to investigate its environment and better understand how their malware was being studied.<\/gwmw><\/gwmw><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

Once attackers exploited a vulnerability or misconfiguration, the perfctl<\/em> malware downloads the main payload from an attacker-controlled HTTP server. The payload employs multiple layers to ensure persistence and evade detection. It moves itself to the \/tmp<\/code> directory, renames itself after the process that executed it (e.g., sh<\/em>), and deletes the original binary to cover its tracks. The malware acts as both a dropper and a local command-and-control (C2) process, attempting to exploit the Polkit vulnerability CVE-2021-4043<\/a> (aka PwnKit<\/a>) for root access.<\/p>\n\n\n\n

The malicious code copies itself to various disk locations using deceptive names, establishes a backdoor on the server for TOR communications.<\/gwmw><\/p>\n\n\n\n

The malware drops a rootkit alongside modified Linux utilities (e.g., ldd<\/em>, lsof<\/em>) that function as user-land rootkits. <\/p>\n\n\n\n

The Linux malware is packed and encrypted to evade detection. It uses advanced evasion techniques like halting activity when detecting new users, the malicious code could also terminate the competing malware to maintain exclusive access to the infected system.<\/p>\n\n\n\n

“As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the\u00a0\/tmp<\/code>\u00a0directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.” reads the report<\/a>. “All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the\u00a0btmp<\/code>\u00a0or\u00a0utmp<\/code>\u00a0files and terminating any competing malware to maintain control over the infected system.”<\/em><\/gwmw><\/p>\n\n\n\n

\"perfctl<\/a><\/figure>\n\n\n\n

To maintain persistence, the attacker modifies the ~\/.profile<\/code> script to execute malware upon user login, checking if \/root\/.config\/cron\/perfcc<\/code> is executable. If so, the malware runs before the legitimate server workload. It also executes the ~\/.bashrc<\/code> file in Bash environments to maintain normal server operations while the malware work in the background. The script suppresses errors to avoid warnings.<\/p>\n\n\n\n

A small binary called wizlmsh<\/em> (12kb) is dropped into \/usr\/bin<\/code>, running in the background to ensure the persistence of the perfctl<\/em> malware, verifying the execution of the main payload (httpd<\/em>).<\/p>\n\n\n\n

“The main impact of the attack is resource hijacking. In all cases we observed a monero cryptominer (XMRIG) executed and exhausting the server\u2019s CPU resources. The cryptominer is also packed and encrypted. Once unpacked and decrypted it communicates with cryptomining pools.” concludes the report. “To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”<\/em><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Linux)<\/strong><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

perfctl malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign. Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl malware, that over the past 3-4 years targeted misconfigured Linux servers. The malicious code was used to drop cryptocurrency miners and proxyjacking software. Perfctl is an elusive […]<\/p>\n","protected":false},"author":1,"featured_media":169355,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,3,7],"tags":[88,4112,9508,9506,10918,598,30,15414,687,841,1533],"class_list":["post-169351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-crime","category-malware","tag-cybercrime","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-linux","tag-malware-2","tag-perfctl-malware","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司