Security
Headlines
HeadlinesLatestCVEs

Headline

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. “Perfctl is particularly elusive and persistent, employing several sophisticated techniques,” Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "When a new user logs

The Hacker News
#linux#apache#git#The Hacker News

Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software.

“Perfctl is particularly elusive and persistent, employing several sophisticated techniques,” Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News.

“When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.”

It’s worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed a campaign that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.

Specifically, the perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc.

The reason behind the name “perfctl” appears to be a deliberate effort to evade detection and blend in legitimate system processes, as “perf” refers to a Linux performance monitoring tool and “ctl” signifies control in various command-line tools, such as systemctl, timedatectl, and rabbitmqctl.

The attack chain, as observed by the cloud security firm against its honeypot servers, involves breaching Linux servers by exploiting a vulnerable Apache RocketMQ instance to deliver a payload named “httpd.”

Once executed, it copies itself to a new location in the “/tmp” directory, runs the new binary, terminates the original process, and deletes the initial binary in an attempt to cover its tracks.

Besides copying itself to other locations and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for defense evasion and the miner payload. Some instances also entail the retrieval and execution of proxyjacking software from a remote server.

To mitigate the risk posed by perfctl, it’s recommended to keep systems and all software up-to-date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files.

“To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Stealthy Malware Has Infected Thousands of Linux Systems for Years

Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…

Near-'perfctl' Fileless Malware Targets Millions of Linux Servers

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. "Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. "However, Selenium Grid's default configuration lacks

Hackers Proxyjack & Cryptomine Selenium Grid Servers

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.