Headline
New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files
New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…
New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises Linux servers, exploiting vulnerabilities for cryptomining and system resource hijacking.
Cybersecurity researchers at Aqua Nautilus have discovered a new Linux malware that has targeted millions worldwide, exploiting over 20,000 misconfigurations. The malware has been lurking for some time, but recently attacked a Nautilus honeypot, providing an opportunity to detect and examine this threat that can put any Linux server at risk.
According to Aqua Nautilus, this sophisticated Linux malware dubbed “perfctl” has been quietly targeting servers worldwide over the past few years. This highly persistent and evasive threat has been actively seeking vulnerabilities and misconfigurations to compromise systems.
The malware’s name comes from the cryptominer process, which drains system resources and causes significant issues for Linux developers. In the company’s technical research, shared exclusively with Hackread.com ahead of publishing on October 3 Thursday, there have been numerous incident reports and discussions in online communities pointing to the widespread prevalence of perfctl.
The malware’s impact has been felt across various developer forums, including Reddit, Stack Overflow, and others. “Usually in some of these posts, you can find replies with links to reports about the malware written by researchers. But in this case, however, none of these had links to such reports,” noted Assaf Morag and Idan Revivo in their research.
Another concerning trend highlighted by researchers is that Perfctl uses rootkits and evasion techniques to hide its presence from standard system tools and monitoring processes. It temporarily suspends its activities when new users log in, making it harder to detect. In addition, Perfctl uses Unix sockets for internal communication and the Tor network for external connections, making it difficult to track its activities.
The attack starts with the malware downloading a main payload from an attacker-controlled HTTP server controlled, named “httpd”. This payload has multiple layers of execution, ensuring persistence and evading detection. The malware copies itself to a new location, runs a new binary, terminates the original process, and deletes the initial binary.
It then executes the main payload under a different name, choosing the process’s name to appear less suspicious. The malware is executed by ‘sh’, changing its name from httpd to sh.
This malware gains persistence by self-replicating and using deceptive filenames that resemble legitimate system files. Perfctl copies itself to multiple locations on the disk, ensuring its survival even after system restarts or cleanups.
Perfctl’s primary goal is cryptomining, using infected systems for cryptocurrency generation. It has also been observed engaging in proxy-jacking, and hijacking server resources for malicious purposes. Perfctl attempts to exploit the Polkit vulnerability (CVE-2021-4043) to gain root privileges, granting it greater access and control over the system.
Attack flow (Aqua Nautilus)
“Given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk.”
Aqua Nautilus
Perfctl’s rootkit and evasion techniques make detection challenging, while its deceptive filenames and behaviour can make it appear legitimate. Its dynamic behaviour can also hinder detection efforts.
To protect your Linux systems from Perfctl, regularly update your operating system and software with the latest security patches, conduct vulnerability assessments, implement robust network security measures like firewalls and intrusion detection systems, monitor system activity for unusual behaviour, and use security tools like endpoint protection solutions.
- Telegram-Controlled TgRat Trojan Targets Linux Servers
- New Linux Malware “Migo” Exploits Redis for Cryptojacking
- Play Ransomware Variant Targeting Linux ESXi Environments
- Decade-Old Linux Vulnerability Used for DDoS Attacks on CUPS
- Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer
Related news
Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.
Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. "Perfctl is particularly elusive and persistent, employing several sophisticated techniques," Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "When a new user logs
Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. "Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. "However, Selenium Grid's default configuration lacks
A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.