A sophisticated malware strain dubbed “Perfctl” has been discovered infecting thousands of Linux machines. Aqua Security security researchers revealed their findings on Thursday, highlighting the malware’s stealth capabilities and potential to exploit a wide range of misconfigurations.
Key Features of Perfctl
Perfctl, which has been active since at least 2021, stands out for several reasons:
- Exploitation of misconfigurations: It can take advantage of over 20,000 common misconfigurations, potentially putting millions of internet-connected machines at risk.
- CVE-2023-33246 vulnerability: The malware can exploit this critical vulnerability (rated 10/10 in severity) in Apache RocketMQ, a popular messaging and streaming platform for Linux.
- Stealth mechanisms: Perfctl employs various techniques to avoid detection, including:
- Using rootkits to hide from the operating system and admin tools
- Stopping easily detectable activities when a new user logs in
- Communicating via Unix socket over TOR
- Deleting its installation binary after execution
- Manipulating the Linux process pcap_loop to prevent traffic recording
- Suppressing error messages during execution
- Persistence: The malware ensures it remains on infected machines by modifying login scripts and copying itself to multiple locations.
Malicious Activities
Once installed, Perfctl engages in several harmful activities:
- Cryptocurrency mining: It uses the infected machine’s resources to mine cryptocurrency.
- Proxy-jacking: The malware turns the machine into a profit-generating proxy for paying customers to route their internet traffic.
- Backdoor installation: Researchers have observed Perfctl as a gateway for installing other malware families.
Infection Process
The malware’s infection process is complex and well-designed to evade detection:
- Initial exploit: Perfctl exploits vulnerabilities or misconfigurations to gain access.
- Payload download: The main payload is downloaded from a compromised server.
- Self-relocation: The malware copies itself to the /tmp directory and executes under a different name.
- Privilege escalation: It attempts to gain root access by exploiting CVE-2021-4043 in the Gpac multimedia framework.
- Component installation: Perfctl installs rootkits, modified Linux utilities, and mining software.
Impact and Scope
Aqua Security researchers estimate that thousands of Linux machines are infected with Perfctl. The potential target pool is much larger, with millions of vulnerable machines connected to the internet.
Assaf Morag, Threat Intelligence Director at Aqua Security, stated, “Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems.”
Detection and Prevention
To detect Perfctl infections, users should look for:
- Unusual CPU usage spikes
- Sudden system slowdowns, especially during idle times
- Specific indicators of compromise are listed in Aqua Security’s report
To prevent infections:
- Install the patch for CVE-2023-33246
- Address the misconfigurations identified by Aqua Security
- Implement robust security measures and keep systems updated
