In recent years, a malicious cryptomining malware known as perfctl has been wreaking havoc on thousands of Linux machines, with potential impacts reaching millions more, according to researchers at Aqua Security. The cloud security vendor released new findings on Thursday shedding light on perfctl, a Linux malware that has been causing trouble since at least 2021.
The researchers at Aqua’s Nautilus team revealed that perfctl has actively targeted over 20,000 types of misconfigurations and could potentially have already infiltrated millions of systems. Despite its long history dating back several years, perfctl remained largely unnoticed by the cybersecurity community, with only a few researchers publishing research on it.
The perfctl malware operates by exploiting vulnerabilities or misconfigurations in a targeted system before downloading a payload from an attacker-controlled HTTP server. The payload then proceeds to copy itself to a new location in the /tmp directory, runs the new binary from there, terminates the original process, and deletes the initial binary to cover its tracks. Additionally, the payload changes its name to the name of the process that executed it, making detection more challenging.
Furthermore, perfctl contains an exploit to CVE-2021-4043 in an attempt to gain root privilege on the infected server. The malware also copies itself to multiple other locations, disguising itself as conventional system files and dropping a rootkit along with modified Linux utilities to serve as user land rootkits.
Despite primarily being used to gain access and maintain persistence, perfctl also includes a cryptominer and has been involved in proxyjacking activities. The name "perfctl" alludes to its cryptomining and resource hijacking functionalities; however, it was cleverly crafted to blend in with typical system processes, making it easier to overlook during initial investigations.
Interestingly, perfctl demonstrates evasive behaviors by suspending its activities when detecting a new user on the server and terminating competing malware. The malware’s binaries are packed, stripped, and encrypted to bypass defense mechanisms and impede reverse engineering efforts, indicating a high level of sophistication.
Aqua Security’s research provides in-depth technical details, indicators of compromise (IOCs), detection advice, and mitigation techniques, including patching vulnerabilities and disabling unused services on Linux systems. One crucial mitigation strategy suggested by the researchers is setting noexec on writable directories to prevent perfctl binaries from executing directly from those locations.
While the threat actor behind perfctl remains unidentified, the Nautilus team suspects that it is financially motivated and operates as a single entity rather than being sold on the dark web or distributed as a service. Despite not being state-sponsored, perfctl exhibits advanced techniques reminiscent of state-sponsored actors, raising concerns about its sophistication.
Chief researcher Assaf Morag emphasized the importance of visibility in securing one’s environment against threats like perfctl, stressing the need for tools that provide insight into Linux runtime. Having a comprehensive view of the environment enables organizations to connect the dots and understand the threats they face, ultimately enhancing their cybersecurity posture.
In conclusion, the emergence of perfctl underscores the evolving landscape of cybersecurity threats targeting Linux systems, highlighting the significance of proactive defense measures and continuous monitoring to safeguard against sophisticated malware. Stay vigilant and prioritize visibility to protect your organization from emerging threats like perfctl.
Alexander Culafi, a senior information security news writer and podcast host for TechTarget Editorial, contributed to this report.