Misconfigured and vulnerable Linux servers are being targeted in an ongoing campaign involving a stealthy malware known as *perfctl*, which primarily aims to deploy cryptocurrency mining and proxyjacking software.
“Perfctl is particularly elusive and persistent, utilizing a range of sophisticated techniques,” said Aqua Security researchers Assaf Morag and Idan Revivo in a report shared with *The Hacker News*. “When a new user logs into the server, it halts all ‘noisy’ activities and remains dormant until the server is idle again. Once executed, it deletes its binary and continues running discreetly in the background as a service.”
Last month, Cado Security uncovered aspects of this campaign, describing an activity cluster that targets internet-exposed Selenium Grid instances with similar cryptocurrency mining and proxyjacking tactics.
The *fileless* perfctl malware exploits a known security vulnerability in Polkit (CVE-2021-4043, also called *PwnKit*) to escalate privileges to root and install a miner named *perfcc*.
The name “perfctl” seems to be a calculated effort to avoid detection and blend in with legitimate system processes. “Perf” refers to a standard Linux performance monitoring tool, while “ctl” is a common suffix used in various command-line utilities, such as *systemctl*, *timedatectl*, and *rabbitmqctl*, which makes the malware appear less suspicious.
The attack chain, as observed by the cloud security firm through its honeypot servers, involves breaching Linux systems by exploiting a vulnerable Apache RocketMQ instance. This allows the attackers to deliver a malicious payload named *httpd*, further enhancing the malware’s ability to evade scrutiny.
Once executed, *perfctl* copies itself to a new location in the “/tmp” directory, runs the new binary, terminates the original process, and deletes the initial binary in an effort to cover its tracks. In addition to duplicating itself under seemingly harmless names, the malware is designed to drop a rootkit for defense evasion and deploy a cryptocurrency miner. Some instances also involve fetching and executing proxyjacking software from a remote server.
To mitigate the risks posed by *perfctl*, it is recommended to:
– Keep systems and software up to date
– Restrict file execution
– Disable unused services
– Enforce network segmentation
– Implement Role-Based Access Control (RBAC) to limit access to critical files.
The researchers noted that *perfctl* can be detected by monitoring for unusual CPU usage spikes or system slowdowns, particularly during idle times, which could indicate crypto mining activities if the rootkit has been deployed.
