Headline
Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.
Source: J Poulssen via Alamy Stock Photo
A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.
It’s been some time now that individuals in the US and Russia, Germany and Indonesia, Korea, China, Spain, and most everywhere in between have been reporting cases of “perfctl” (aka perfcc) eating up all their compute power.
“We’ve seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don’t know, I’m trying to kill it,’” Aqua Nautilus chief researcher Assaf Morag recalls. “There are a lot of articles describing how you kill perfctl, but people can’t kill it because it keeps hiding itself, and it’s very persistent.”
The malware looks for vulnerabilities and misconfigurations to exploit in order to gain initial access. To date, Aqua Nautilus reported today, the malware has likely targeted millions of Linux servers, and compromised thousands. Any Linux server connected to the Internet is in its sights, so any server that hasn’t already encountered perfctl is at risk.
Related:Dark Reading News Desk Live From Black Hat USA 2024
And, Morag warns, its ambitions don’t necessarily end with cryptomining and proxyjacking. Though not recorded in his report, Morag has observed the malware dropping TruffleHog, a legitimate penetration testing tool designed to snuff out hardcoded secrets in source code.
“So imagine: They’re earning money on the side [by cryptomining and proxyjacking], but also stealing secrets and maybe selling them in the cyber underground — selling access to servers that are related to big companies,” he posits.
Every Misconfiguration in the Book
The volume and variety of potential server misconfigurations that perfctl is capable of identifying and exploiting is vast.
By tracking its infections, researchers identified three Web servers belonging to the threat actor: two that were previously compromised in prior attacks, and a third likely set up and owned by the threat actor. One of the compromised servers was used as the primary base for malware deployment. The other compromised server contained a much more interesting find: a list of potential avenues to directory traversal, nearly 20,000 entries long.
The list contained more than 12,000 known server misconfigurations, nearly 2,000 paths towards nabbing unauthorized credentials, tokens, and keys, more than 1,000 techniques for unauthorized login, and dozens of possible misconfigurations in different applications (68, for example, associated just with Apache RocketMQ, the open source distributed messaging and streaming platform). Citing just a few examples, Morag explains that “if you have an HTTP server, maybe you expose a template. In Kubernetes, by mistake, you could expose secrets, or roles. Or even a weak password can be a misconfiguration.”
Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo
Alongside this fuzzing list on the compromised server were follow-on files containing exploits for the various kinds of documented misconfigurations.
Besides misconfigurations, perfctl is also capable of gaining initial access to a server via various bugs, such as CVE-2023-33246, a remote command execution (RCE) vulnerability in Apache RocketMQ. CVE-2023-33246 earned a “critical” 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) last year.
How perfctl Hides Loud Activity
Cryptomining and proxyjacking are loud by nature. Whether it be third-party proxyware or the XMRig Monero miner, the programs that perfctl drops onto a compromised server will exhaust its CPU resources. And yet, perfctl itself is not easy to spot or excise, thanks to its layers of sophisticated stealth and persistence mechanisms.
Related:LockBit Associates Arrested, Evil Corp Bigwig Outed
For example, to facilitate stealthy communication, the program drops a backdoor and listens for communications via Tor. And to avoid detection and obscure evidence of its presence, it uses process masquerading, copying itself to various locations under names that map to legitimate system processes.
The very name its authors gave to it, “perfctl,” is evidence of the same sort of tactic: “perf” is a Linux monitoring tool, and “ctl” is commonly used as a suffix for command line tools which control system components or services. The legitimate-looking name of the malware, then, allows it to more easily blend in with typical processes.
And then, after executing, perfctl deletes its binary but continues to run as a service behind the scenes.
To further hide its presence and malicious activities from security software and researcher scrutiny, it deploys a few Linux utilities repurposed into user-level rootkits, as well as one kernel-level rootkit. The kernel rootkit is especially powerful, hooking into various system functions to modify their functionality, effectively manipulating network traffic, undermining Pluggable Authentication Modules (PAM), establishing persistence even after primary payloads are detected and removed, or stealthily exfiltrating data.
And when a user logs in to the compromised server, perfctl instantly halts its noisiest behaviors, laying low until the user logs off and the coast is clear.
In short, “it’s a powerful tool,” Morag says. “You can decide to erase data, to steal data, to buy cryptocurrency, to do proxyjacking — it’s up to the attacker.”
Mitigation for perfctl & Other Fileless Malware
Those running Linux servers should take immediate steps to protect their environments, researchers warned. Aqua recommends the following mitigations for perfctl and similar threats:
Patch vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications such as RocketMQ servers and CVE-2021-4043 (Polkit). Keep all software and system libraries up to date.
Restrict file execution: Set noexec on /tmp, /dev/shm and other writable directories to prevent malware from executing binaries directly from these locations.
Disable unused services: Disable any services that aren’t required, particularly those that may expose the system to external attackers, such as HTTP services.
Implement strict privilege management: Restrict root access to critical files and directories. Use role-based access control (RBAC) to limit what users and processes can access or modify.
Network segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially TOR traffic or connections to cryptomining pools.
Deploy runtime protection: Use advanced anti-malware and behavioral detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl.
About the Author
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.
Related news
Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.
New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…
Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. "Perfctl is particularly elusive and persistent, employing several sophisticated techniques," Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "When a new user logs
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. "Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. "However, Selenium Grid's default configuration lacks
A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC)
RocketMQ versions 5.1.0 and below are vulnerable to arbitrary code injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .