Perfctl Malware Hijacks Linux Servers for Cryptomining and Proxyjacking
Threat Group: - Unknown
Threat Type: - Cryptomining & Proxyjacking Malware
Exploited Vulnerabilities: - Polkit (CVE-2021-4043), Apache RocketMQ (CVE-2023-33246)
Malware Used: - Perfctl
Threat Score: - High (8/10)
Last Threat Observation: - October 3, 2024
Overview:
Perfctl is a stealthy and persistent malware targeting Linux servers, leveraging misconfigurations and vulnerabilities like Polkit (CVE-2021-4043) to hijack system resources for cryptomining (Monero) and proxyjacking. The malware hides behind legitimate system processes and utilizes rootkits to evade detection, making it a serious threat to Linux infrastructures worldwide.
Key Details:
- Delivery Method: Perfctl exploits server vulnerabilities and misconfigurations to gain access, using CVEs like Polkit and Apache RocketMQ.
- Target: Linux servers, especially those with exposed services or misconfigurations.Functions:
- Downloads a payload named "httpd" from attacker-controlled servers.
- Copies itself into directories such as
/tmp,/usr, and/root. - Utilizes rootkits for concealment.
- Deploys a Monero (XMR) miner using XMRIG.
- Establishes encrypted TOR-based communications to evade detection.
- Obfuscation: Perfctl mimics legitimate Linux system processes (e.g.,
sh,httpd), suspending activity when the server is in use and resuming when idle.
Attack Vectors:
Perfctl malware breaches Linux servers through vulnerabilities such as Polkit (CVE-2021-4043) and Apache RocketMQ, gaining access via misconfigurations or exposed secrets. After gaining initial access, it downloads its payload and utilizes rootkits to establish persistence. The malware engages in cryptomining during idle times, ensuring its activities are hidden from standard system monitoring tools.
Known Indicators of Compromise (IoCs):
IP Addresses:
211[.]234[.]111[.]11646[.]101[.]139[.]173104[.]183[.]100[.]189198[.]211[.]126[.]180
Domains:
bitping[.]comearn[.]fmspeedshare[.]apprepocket[.]com
Files (MD5 Hashes):
656e22c65bf7c04d87b5afbe52b8d8006e7230dbe35df5b46dcd08975a0cc87f835a9a6908409a67e51bce69f80dd58acf265a3a3dd068d0aa0c70248cd6325dda006a0b9b51d56fa3f9690cf204b99fba120e9c7f8896d9148ad37f02b0e3cb
Mitigation and Prevention:
- User Awareness: Educate system administrators on signs of cryptomining, proxyjacking, and other resource hijacking behaviors.
- Antivirus Protection: Use updated Linux-specific anti-malware tools to scan for rootkits and unauthorized processes.
- Monitor Logs: Regularly check
.bashrc,.profile, and/etc/ld.so.preloadfor unauthorized modifications. - Network Segmentation: Restrict the exposure of critical systems and services to the internet.
- Regular Patching: Apply patches for known vulnerabilities such as Polkit (CVE-2021-4043) and Apache RocketMQ (CVE-2023-33246).
- System Monitoring: Monitor for spikes in CPU usage and TOR-based communications in network traffic.
Conclusion:
The Perfctl malware poses a significant threat to Linux server environments due to its advanced evasion techniques, persistence, and ability to hijack resources for cryptomining and proxyjacking. Immediate attention to patching vulnerabilities and enhanced monitoring can reduce the risk of infection and prevent further damage to infrastructure.
Podcast Discussion
Sources:
- The Hacker News - New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking,
- Bleeping Computer - New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking
- Security Online - Linux Servers Under Siege: Perfctl Malware Evades Detection for Years,
- Aqua Security - perfctl: A Stealthy Malware Targeting Millions of Linux Servers