Linux servers are the goal of an ongoing marketing campaign that delivers a stealthy malware dubbed perfctl with the first goal of working a cryptocurrency miner and proxyjacking software program.
“Perfctl is especially elusive and protracted, using a number of subtle methods,” Aqua safety researchers Assaf Morag and Idan Revivo mentioned in a report shared with The Hacker Information.
“When a brand new person logs into the server, it instantly stops all ‘noisy’ actions, mendacity dormant till the server is idle once more. After execution, it deletes its binary and continues to run quietly within the background as a service.”
It is value noting that some elements of the marketing campaign had been disclosed final month by Cado Safety, which detailed a marketing campaign that targets internet-exposed Selenium Grid situations with each cryptocurrency mining and proxyjacking software program.
Particularly, the perfctl malware has been discovered to use a safety flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner referred to as perfcc.
The rationale behind the identify “perfctl” seems to be a deliberate effort to evade detection and mix in authentic system processes, as “perf” refers to a Linux efficiency monitoring software and “ctl” signifies management in numerous command-line instruments, corresponding to systemctl, timedatectl, and rabbitmqctl.
The assault chain, as noticed by the cloud safety agency in opposition to its honeypot servers, includes breaching Linux servers by exploiting a susceptible Apache RocketMQ occasion to ship a payload named “httpd.”
As soon as executed, it copies itself to a brand new location within the “/tmp” listing, runs the brand new binary, terminates the unique course of, and deletes the preliminary binary in an try to cowl its tracks.
In addition to copying itself to different places and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for protection evasion and the miner payload. Some situations additionally entail the retrieval and execution of proxyjacking software program from a distant server.
To mitigate the chance posed by perfctl, it is beneficial to maintain programs and all software program up-to-date, prohibit file execution, disable unused providers, implement community segmentation, and implement Function-Primarily based Entry Management (RBAC) to restrict entry to crucial information.
“To detect perfctl malware, you search for uncommon spikes in CPU utilization, or system slowdown if the rootkit has been deployed in your server,” the researchers mentioned. “These could point out crypto mining actions, particularly throughout idle instances.”