October 3, 2024 at 10:45AM
Linux servers are under attack by a persistent campaign delivering perfctl malware, aiming to run a cryptocurrency miner and proxyjacking software. The elusive and stealthy malware employs sophisticated techniques including exploiting a security flaw in Polkit. It’s recommended to keep systems updated, restrict file execution, and enforce network segmentation to mitigate the risk.
The meeting notes from October 3, 2024, highlight a significant threat to Linux servers from an ongoing campaign delivering the stealthy malware “perfctl,” which acts as a cryptocurrency miner and proxyjacking software. The malware is particularly elusive and persistent, employing sophisticated techniques to avoid detection and maintain its foothold on compromised servers.
It exploits vulnerabilities such as CVE-2021-4043 (PwnKit) to escalate privileges to root and drop a miner called perfcc. The name “perfctl” is a deliberate attempt to evade detection and blend in with legitimate system processes, making it challenging to identify.
The attack chain involves exploiting a vulnerable Apache RocketMQ instance to deliver a payload named “httpd,” after which the malware copies itself to a new location, runs the new binary, terminates the original process, and covers its tracks by deleting the initial binary. The malware also drops a rootkit for defense evasion and the miner payload, with some instances involving the retrieval and execution of proxyjacking software from a remote server.
To mitigate the risk posed by perfctl, it’s essential to keep systems and all software up to date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files. Additionally, detection methods such as monitoring unusual spikes in CPU usage and system slowdowns can help identify potential crypto mining activities on compromised servers.
For further updates and exclusive content, you can follow us on Twitter and LinkedIn.