The difficulty of detecting and removing Perfctl is due to its ability to maintain a stealthy presence on infected systems.
Recently, researchers reported that a significant number of Linux machines have fallen victim to a stealthy malware strain characterized by its ability to exploit numerous misconfigurations and perform a wide range of malicious activities.
This malware has been active since at least 2021, taking advantage of over 20,000 common misconfigurations, which could potentially make millions of Internet-connected machines vulnerable, as noted by experts from Aqua Security. Additionally, it can target CVE-2023-33426, a critical vulnerability rated 10 out of 10 in severity that was addressed last year in Apache RocketMQ, a messaging and streaming platform prevalent on many Linux systems.
Dubbed Perfctl, the malware’s name reflects a malicious component that discreetly mines cryptocurrency. The developers behind this malware have cleverly named the process by combining the perf Linux monitoring tool and “ctl,” a common abbreviation seen in command-line tools. A key feature of Perfctl is its tendency to use process and file names closely resembling those typically found in Linux environments. This clever naming strategy is just one of the numerous tactics the malware employs to evade detection by users whose systems it has compromised.
Perfctl employs a variety of evasion tactics to mask its presence. One notable approach is its installation of several components as rootkits, a specific type of malware designed to conceal itself from both the operating system and system administrators. Additional stealth techniques include:
This malware is crafted to ensure it remains on the infected machine even after reboots or attempts to remove its core components. Two of the methods it utilizes are (1) altering the ~/.profile script, which configures the environment during user logins, allowing the malware to load before legitimate workloads on the server, and (2) replicating itself from memory to several locations on the disk. Furthermore, the hooking of pcap_loop aids in maintaining persistence by enabling malicious activities to persist even once primary payloads are detected and eliminated.
In addition to consuming machine resources for cryptocurrency mining, Perfctl transforms the infected machine into a profit-generating proxy, allowing paying clients to route their Internet traffic through it. Researchers from Aqua Security have also identified the malware functioning as a backdoor to facilitate the installation of other malware families.
Assaf Morag, the director of threat intelligence at Aqua Security, remarked in an email:
Perfctl malware has emerged as a notable risk due to its clever design that allows it to avoid detection while establishing a persistent presence on compromised systems. This dual ability creates significant challenges for cybersecurity defenders. The malware has been increasingly associated with various reports and discussions across multiple forums, illustrating the anxiety and frustration faced by users who find their systems afflicted.
Perfctl employs a rootkit and modifies several system utilities to obscure the activity of its cryptominer and proxy-jacking features. It integrates smoothly into its environment with names that appear to be legitimate. Moreover, Perfctl’s architecture facilitates a broad range of malicious actions, including data exfiltration and the installation of additional payloads. Its adaptability makes it a particularly severe threat to both organizations and individuals.
Although some antivirus solutions can detect Perfctl and certain types of malware it introduces, researchers from Aqua Security encountered a lack of detailed research reports on the malware itself. Nevertheless, they discovered numerous discussions on development-focused platforms that referenced infections consistent with this threat.
A comment on Reddit from the CentOS subreddit exemplifies this issue. An administrator observed that two servers had been compromised by a cryptocurrency hijacker identified as perfcc and perfctl. The admin sought assistance in tracing the root cause of the infection.
“I first realized something was wrong when my monitoring system notified me of the CPU running at 100%,” the administrator commented in a post from April 2023. “However, the malicious process would cease immediately upon logging in via SSH or console. Not long after I logged out, the malware would begin operating again within seconds or minutes.” The administrator went on to say:
I have tried to eliminate the malware by following various instructions from other online communities, but nothing has worked. The malware always seems to restart once I log out. I conducted a thorough search of the entire system for the string “perfcc” and located the files listed below, but removing them did not fix the problem, as they continue to respawn with each reboot.
Additional conversations regarding this issue can be found on: Reddit, Stack Overflow, (Spanish), forobeta, (Spanish), brainycp, (Russian), natnetwork, (Indonesian), Proxmox, (Deutsch), Camel2243, (Chinese), svrforum, (Korean), exabytes, virtualmin, serverfault, and many others.
After exploiting a vulnerability or misconfiguration, the malicious code downloads the primary payload from a compromised server, which has been taken over by the attacker and repurposed as a channel to distribute the malware discreetly. One such attack focused on a honeypot belonging to researchers, which labeled the payload as “httpd.” Once initiated, the file duplicates itself from memory to a new location in the /temp directory, executes it, and subsequently terminates the initial process while deleting the downloaded binary.
After being relocated to the /tmp directory, the file runs under a disguised name that resembles a familiar Linux process. The file found on the honeypot is labeled as sh. Following this, the file initiates a local command-and-control operation and seeks to obtain root system privileges by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was resolved in 2021 within Gpac, a widely utilized open source multimedia framework.
The malicious software proceeds to replicate itself from memory to several other locations on the disk, again adopting names that look like standard system files. Subsequently, the malware deploys a rootkit, along with a collection of popular Linux utilities that have been altered to function as rootkits, and a miner. In certain instances, the malware also sets up software for “proxy-jacking,” which involves secretly redirecting traffic through the compromised machine to obscure the true source of the data.
The researchers added:
In its command-and-control activities, the malware establishes a Unix socket, generates two directories within the /tmp directory, and saves data there that influences its functionality. This data encompasses host events, the locations of its copies, process names, communication logs, tokens, and further logging details. Moreover, the malware utilizes environment variables to retain data that impacts its implementation and operations.
All binaries are meticulously packed, stripped, and encrypted, showcasing a considerable level of effort to circumvent defense mechanisms and impede reverse engineering attempts. The malware employs sophisticated evasion tactics, including pausing its operations when it identifies a new user in the btmp or utmp files, as well as terminating any competing malware to assert dominance over the compromised system.
The ensuing description outlines the attack flow:
Additionally, some malicious file names assigned during the installation process are highlighted:
By analyzing data like the number of Linux servers accessible on the Internet across diverse services and applications—tracked by platforms such as Shodan and Censys—researchers estimate that the total count of machines infected by Perfctl is in the thousands. They also note that the pool of susceptible machines—those that have yet to apply the patch for CVE-2023-33426 or have a misconfiguration that exposes them—is in the millions. However, researchers have not yet quantified the cryptocurrency amassed by the malicious miners.
Individuals seeking to find out if their device has been compromised or infected by Perfctl should check for signs of an attack as mentioned in Thursday’s post. They should also monitor for unexpected increases in CPU usage or abrupt slowdowns in system performance, especially when the device is not in use. Additionally, the report from Thursday offers guidance on how to avoid infections altogether.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
