Linux servers are the goal of an ongoing marketing campaign that delivers a stealthy malware dubbed perfctl with the first intention of operating a cryptocurrency miner and proxyjacking software program.
“Perfctl is especially elusive and chronic, using a number of subtle methods,” Aqua safety researchers Assaf Morag and Idan Revivo mentioned in a report shared with The Hacker Information.
“When a brand new consumer logs into the server, it instantly stops all ‘noisy’ actions, mendacity dormant till the server is idle once more. After execution, it deletes its binary and continues to run quietly within the background as a service.”
It is price noting that some features of the marketing campaign have been disclosed final month by Cado Safety, which detailed a marketing campaign that targets internet-exposed Selenium Grid situations with each cryptocurrency mining and proxyjacking software program.
Particularly, the perfctl malware has been discovered to use a safety flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner known as perfcc.
The rationale behind the identify “perfctl” seems to be a deliberate effort to evade detection and mix in professional system processes, as “perf” refers to a Linux efficiency monitoring instrument and “ctl” signifies management in numerous command-line instruments, reminiscent of systemctl, timedatectl, and rabbitmqctl.
The assault chain, as noticed by the cloud safety agency towards its honeypot servers, includes breaching Linux servers by exploiting a susceptible Apache RocketMQ occasion to ship a payload named “httpd.”
As soon as executed, it copies itself to a brand new location within the “/tmp” listing, runs the brand new binary, terminates the unique course of, and deletes the preliminary binary in an try and cowl its tracks.
Apart from copying itself to different areas and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for protection evasion and the miner payload. Some situations additionally entail the retrieval and execution of proxyjacking software program from a distant server.
To mitigate the danger posed by perfctl, it is advisable to maintain programs and all software program up-to-date, prohibit file execution, disable unused companies, implement community segmentation, and implement Function-Primarily based Entry Management (RBAC) to restrict entry to vital information.
“To detect perfctl malware, you search for uncommon spikes in CPU utilization, or system slowdown if the rootkit has been deployed in your server,” the researchers mentioned. “These could point out crypto mining actions, particularly throughout idle instances.”