A sophisticated malware is infecting Linux servers en masse with incorrect configurations. This remained undetected for a long time, partly because of the good camouflage.
A malware that has now been discovered is targeting Linux servers: As the experts at the cybersecurity consultancy Aqua Security report, the program called "Perfctl" has probably been in circulation since 2021 and infects Linux systems in order to secretly use them as proxy servers and for cryptomining. The malware can also act as a loader for other unwanted programs. According to the analysis report, "Perfctl" has probably already attacked millions of servers. The number of devices that the malware has successfully infected is in the thousands, estimate the authors of the report, Assaf Morag and Idan Revivo. "Perfctl" therefore looks for around 20,000 different types of misconfigurations that Linux servers can potentially have - the chance that your own system is infected basically exists as soon as the server is connected to the Internet, Morag and Revivo clarify.
Malware uses servers for crypto mining
In all known cases, the malware ran a cryptominer. In some cases, proxy jacking software was also used, the report says. While the two analysts were conducting sandbox tests with the malware, they also made an observation: it installed additional programs in the background in order to be able to secretly monitor what was happening. The malware is particularly well camouflaged and remains persistent on the target devices. Aqua Security was able to uncover a number of tactics. For example, "Perfctl" uses rootkits to hide its presence. When a new user logs in, the malware immediately stops all activities that could be conspicuous. When the user logs out again, the activities continue again.
communication via TOR servers
Communication within the server runs via Unix sockets, external communication is routed through Tor servers, making it impossible to track. After installation, "Perfctl" deletes its binary files and continues to run as a background program. It copies itself from memory to various locations on the hard disk, using misleading names. "Perfctl" also opens a backdoor on the server and "eavesdrops" on TOR communication. The program also tries to exploit the Polkit vulnerability (CVE-2021-4043) to escalate its privileges. The vulnerability was patched last year in Apache RocketMQ, a messaging and streaming platform found on many Linux computers. Probably a typical example of the malware's strategy of exploiting several variants of misconfigured or outdated systems.
Proxy service for cybercriminals?
Once Perfctl has successfully established itself, it primarily engages in crypto mining - another source of income for the authors is apparently a proxy service for other cyber criminals. They can then route their Internet traffic through the hacked Linux servers to conceal their own identity. The malware also functions as a loader, and thus always offers the option of installing additional programs on the affected servers. A typical first symptom of the malware is an extremely high CPU usage of almost 100 percent. The analysts provide further tips on how to recognize a possible "Perfctl" infection in their report.
Already a topic in many forums
The community has already taken note of the problems caused by the sophisticated malware. On various forums such as Reddit, users complained, for example, that they had tried several times to remove a strange program without success - and that it kept reappearing, even if they completely deleted the affected files. The name "Perfctl" also arose in numerous threads on the subject in various developer forums such as Reddit or Stack Overflow. Morag and Revivo then decided to adopt the name. Their report is likely to keep many Linux server admins busy in the near future.
Comments