Researchers reported on Thursday that a significant number of machines operating on Linux have fallen victim to a stealthy malware strain known for its ability to exploit numerous misconfigurations and carry out a wide array of malicious activities.
The malware has been active since at least 2021, leveraging over 20,000 common misconfigurations to install itself, which potentially puts millions of internet-connected machines at risk, according to findings from Aqua Security. Additionally, it can take advantage of CVE-2023-33426, a critical vulnerability rated 10 out of 10 in severity, that was addressed last year in Apache RocketMQ, a messaging and streaming platform prevalent on various Linux systems.
The malware is dubbed Perfctl, after a component that clandestinely mines cryptocurrency. The developers behind it chose a name that merges the perf Linux monitoring tool with ‘ctl’, a common abbreviation in command-line interfaces. A key feature of Perfctl is its use of process and file names that closely mirror those typically seen in Linux environments. This naming strategy is just one of the many tactics the malware employs to avoid detection by users of infected devices.
Perfctl employs a range of additional methods to maintain its disguise. Among these is the installation of many components as rootkits, a unique type of malware designed to hide its activities from the operating system and administrative tools. Other tactics for evasion include:
The malware is engineered to maintain persistence, signifying its capability to stay on the compromised device even after restarts or efforts to eliminate essential components. Two techniques employed for this purpose include (1) altering the ~/.profile script, which initializes the environment during user logins, thereby allowing the malware to load prior to legitimate processes that are expected to run on the server and (2) duplicating itself from memory to various disk locations. Additionally, the interception of pcap_loop helps in establishing persistence, enabling malicious actions to persist even after the main payloads are identified and removed.
In addition to utilizing the machine’s resources for cryptocurrency mining, Perfctl also transforms the system into a revenue-generating proxy for paying clients who wish to route their internet traffic through it. Researchers from Aqua Security have noted that the malware can also function as a backdoor to facilitate the installation of other malware families.
Assaf Morag, director of threat intelligence at Aqua Security, commented via email:
Perfctl malware emerges as a significant threat owing to its architecture, which allows it to avoid detection while ensuring persistence on compromised systems. This unique combination presents a challenge for security defenders, and indeed, the malware has been associated with an increasing number of reports and discussions across diverse forums, underscoring the anxiety and frustration of users who discover their systems have been compromised.
Perfctl employs a rootkit and alters several system utilities to conceal the actions of the cryptominer and proxy-jacking software. It integrates effortlessly into its environment with names that appear legitimate. Furthermore, Perfctl’s structure allows it to execute an array of harmful activities, ranging from data theft to the installation of additional malicious components. This adaptability makes it usable for numerous illicit objectives, posing a significant threat to both organizations and individuals.
Although some antivirus programs can detect Perfctl and certain types of malware it installs, researchers from Aqua Security found a lack of comprehensive research reports on the malware. They did uncover many discussions on developer forums about infections that align with its characteristics.
This Reddit comment on the CentOS subreddit provides a typical example. An administrator discovered that two of their servers were compromised by a cryptocurrency hijacker named perfcc and perfctl. The administrator sought assistance in pinpointing the cause.
“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin noted in an April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin elaborated:
I have tried several approaches to eliminate the malware, as suggested by various forums, but none have been successful. The malware consistently reappears every time I log out. I also conducted a thorough search on my system for the string “perfcc” and identified the files below. Removing these files did not fix the issue, as the malware reemerges with each system reboot.
Other discussions include: Reddit, Stack Overflow, (Spanish), forobeta, (Spanish), brainycp, (Russian), natnetwork, (Indonesian), Proxmox, (Deutsch), Camel2243, (Chinese), svrforum, (Korean), exabytes, virtualmin, serverfault, and many others.
This story originally appeared on Ars Technica, a reliable source for technology news, analysis of tech policy, reviews, and more. Ars is part of Condé Nast, which is the parent company of WIRED.
After taking advantage of a vulnerability or a misconfiguration, the exploit downloads the primary payload from a compromised server, which has often been accessed by the attacker and repurposed to distribute the malware anonymously. In a case that targeted a honeypot set up by researchers, the payload was named httpd. Once executed, the file duplicatively stores itself in a new location within the /temp directory, executes it, then ends the original process and deletes the binary that was downloaded.
Once relocated to the /tmp directory, the file operates under a different name, which resembles that of a recognized Linux process. The file on the honeypot was labeled as sh. Subsequently, it establishes a local command-and-control operation and seeks to obtain root system privileges by taking advantage of CVE-2021-4043, a privilege-escalation flaw that was addressed in 2021 within Gpac, a popular open-source multimedia framework.
The malware then replicates itself from memory to several other locations on the disk, again utilizing names that look like ordinary system files. Following this, it deploys a rootkit, several widely-used Linux utilities that have been altered to function as rootkits, along with the miner. In certain instances, the malware also introduces software for “proxy-jacking,” a term that refers to secretly directing traffic through the compromised machine to conceal the actual source of the data.
The researchers elaborated:
As a component of its command-and-control activities, the malware opens a Unix socket, establishes two directories beneath the /tmp directory, and saves data there that influences its functionality. This data encompasses host events, the locations of its own copies, process names, communication logs, tokens, and other logging details. Moreover, the malware employs environment variables to retain data that further impacts its execution and conduct.
All binaries are meticulously packed, stripped, and encrypted, showcasing considerable efforts to evade defense systems and obstruct reverse engineering endeavors. The malware employs sophisticated evasion tactics, such as pausing its operation upon detecting a new user in the btmp or utmp files and eliminating any rival malware to preserve its dominance over the compromised system.
By analyzing data concerning the number of Linux servers connected to the internet across different services and applications—tracked by platforms like Shodan and Censys—researchers estimate that thousands of machines are afflicted by Perfctl. They suggest that the pool of susceptible machines, which have not yet applied the patch for CVE-2023-33426 or possess vulnerable configurations, is in the millions. The researchers have not yet quantified the total cryptocurrency mined by the malicious actors.
Individuals seeking to ascertain whether their device has been targeted or infected by Perfctl should check for indicators of compromise outlined in Thursday’s post. Users should also remain vigilant for unexpected increases in CPU usage or abrupt system slowdowns, especially if these events transpire during idle periods. Furthermore, Thursday’s report offers guidance on preventive measures to avoid infections in the first place.
This story originally appeared on Ars Technica.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
