Stealthy “perfctl” Malware Exploits Linux Servers for Cryptojacking and Proxyjacking

by | Oct 4, 2024 | News

Stealthy "perfctl" Malware Exploits Linux Servers for Cryptojacking and Proxyjacking

Post Views: 212




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Perfctl Malware Targets Vulnerable Linux Servers

An ongoing malware campaign is exploiting misconfigured and vulnerable Linux servers, delivering a stealthy malware known as Perfctl. The primary goal of this malware is to install cryptocurrency miners and proxyjacking software. According to Aqua Security researchers Assaf Morag and Idan Revivo, Perfctl is particularly elusive, using advanced techniques to avoid detection and persistently remain in the system.

PwnKit Exploitation for Privilege Escalation

Perfctl malware takes advantage of the Polkit (CVE-2021-4043) vulnerability, commonly referred to as PwnKit, to gain root privileges on the compromised system. Once it escalates privileges, the malware installs a cryptocurrency miner called perfcc. The name “perfctl” is intentionally chosen to resemble legitimate system processes, such as Linux performance monitoring tools, to blend in and evade detection.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Attack Chain Involving Apache RocketMQ

The attack chain begins when Perfctl breaches Linux servers by exploiting a vulnerable instance of Apache RocketMQ, a popular messaging platform. The malware then delivers a payload named httpd. Once the malware is executed, it copies itself to a different location, terminates the original process, and deletes the initial binary to cover its tracks.

The entire attack flow

The entire attack flow

Cryptocurrency Mining and Proxyjacking Techniques

Perfctl engages in cryptocurrency mining and proxyjacking by installing a rootkit to evade detection. It also retrieves and executes proxyjacking software from a remote server. By disguising itself with names that mimic legitimate system processes, Perfctl continues running in the background without raising suspicion. It even stops “noisy” activities when a user logs in, resuming only when the system is idle.

 

Trending: NIS2 Directive: A Strategic Blueprint for Cyber Security and the Importance of Pentesting




Trending: OSINT Tool: Pytster

Mitigation and Detection Strategies

To mitigate the risk posed by Perfctl, organizations should:

  • Regularly update systems and software
  • Restrict file execution permissions
  • Disable unnecessary services
  • Implement Role-Based Access Control (RBAC) and network segmentation to secure critical files

For detection, signs of Perfctl activity may include unusual spikes in CPU usage or system slowdowns, especially when the system is idle, indicating potential cryptocurrency mining operations.

Trending: Hackers Could Steal Millions of Kia Cars Using Just a License Plate

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This