Pervasive ‘perfctl’ Fileless Malware Threatens Millions of Linux Servers Globally

October 3, 2024

The 'perfctl' malware, also known as perfcc, has been plaguing Linux servers across the globe for years, implementing cryptomining and proxyjacking malware. This persistent threat has been reported in countries ranging from the US and Russia to Germany, Indonesia, Korea, China, and Spain. Assaf Morag, chief researcher at Aqua Nautilus, recalls numerous instances of individuals struggling to eliminate the malware due to its persistent and elusive nature.

The malware exploits vulnerabilities and misconfigurations to gain initial access to servers. According to Aqua Nautilus, 'perfctl' has likely targeted millions of Linux servers and compromised thousands. Any Linux server connected to the internet is a potential target.

In addition to its cryptomining and proxyjacking activities, 'perfctl' has been observed dropping TruffleHog, a legitimate penetration testing tool used to discover hardcoded secrets in source code. Morag speculates that the malware could potentially be stealing and selling secrets on the cyber underground, in addition to its other activities.

The malware has an extensive repertoire of server misconfigurations and vulnerabilities that it can exploit. Researchers tracking its activities identified three web servers associated with the threat actor: two previously compromised, and one likely owned by the threat actor. The primary malware deployment base was one of the compromised servers.

The other compromised server contained a list of nearly 20,000 potential paths for directory traversal, including over 12,000 known server misconfigurations, nearly 2,000 paths to unauthorized credentials, tokens, and keys, over 1,000 techniques for unauthorized login, and dozens of possible application misconfigurations.

'perfctl' can also gain initial access to a server through various bugs, including CVE-2023-33246, a critical remote command execution vulnerability in Apache RocketMQ. Despite the loud nature of cryptomining and proxyjacking, 'perfctl' employs sophisticated stealth and persistence mechanisms, making it hard to detect or remove.

The malware uses process masquerading and a legitimate-sounding name to avoid detection. After execution, it continues to run as a service in the background, even after deleting its binary. To further obscure its activities, it deploys user-level and kernel-level rootkits.

When a user logs into a compromised server, 'perfctl' halts its most noticeable behaviors, resuming once the user logs off. In summary, 'perfctl' is a powerful tool, capable of data theft, cryptocurrency mining, and proxyjacking.

Linux server operators are advised to take immediate protective measures. Recommended mitigations include patching vulnerabilities, particularly CVE-2021-4043 and those in RocketMQ servers, restricting file execution, disabling unused services, implementing strict privilege management, network segmentation, and deploying runtime protection.

Related News

• Cybercriminals Target Selenium Grid Servers for Proxyjacking and Cryptomining
• Apache RocketMQ Servers Vulnerable to RCE Attacks: Hackers on the Prowl

Latest News

• CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores
• Critical Security Flaws Detected in Optigo Networks ONS-S8 Aggregation Switch
• Zimbra Email Servers Under Attack: Active Exploitation of Critical RCE Flaw
• CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores
• Critical Vulnerabilities in Tank Gauge Systems Could Lead to Remote Attacks