The Perfctl Malware Becomes the Silent Menace Infecting Thousands of Linux Servers
In a recent alarming discovery by Aqua Security, a stealthy malware named Perfctl has been actively targeting Linux servers for over three years, slipping through the cracks of server misconfigurations and vulnerabilities. This sophisticated malware has compromised thousands of systems, focusing on evasion tactics and hijacking resources to mine cryptocurrency. Here's what you need to know about this malware family that's flying under the radar.
Table of Contents
How Perfctl Operates
Perfctl exploits more than 20,000 known vulnerabilities and misconfigurations in Linux servers to establish persistent access. Once inside, it doesn't immediately raise alarms. Instead, it works silently, using a rootkit to hide itself and only activates when the server is idle. Communication with its command-and-control (C&C) infrastructure is carefully managed through a Unix socket and the Tor network, ensuring that external commands are difficult to trace.
Once the malware is inside the system, it creates a backdoor, escalating privileges and allowing its operators to control the infected server remotely. From there, Perfctl deploys tools for reconnaissance, drops a cryptocurrency miner, and uses proxy-jacking software to steal resources from compromised systems. Its operators also deploy additional malware, making these infected servers breeding grounds for more nefarious activities.
Evasion and Persistence is The Key to Perfctl’s Stealth
Perfctl is engineered for one thing above all else: staying hidden. It modifies system scripts to ensure it runs before legitimate workloads, maintaining its grip on the server. It also hooks into various authentication functions, allowing it to bypass password checks or even log credentials, giving attackers further access to sensitive data. The malware even goes as far as suspending its operations if it detects user activity, making it almost invisible to administrators.
Packed, stripped, and encrypted, Perfctl's binaries are designed to evade detection and reverse engineering. Its creators have gone to great lengths to ensure that traditional defense mechanisms won’t work against it. To make matters worse, Perfctl isn’t just satisfied with compromising a system—it actively seeks out other malware on the server and attempts to terminate them, ensuring it is the only malware running on the system.
The Vulnerability: CVE-2021-4043 Exploited
One of the critical entry points for Perfctl is through a known vulnerability: CVE-2021-4043. This is a medium-severity Null pointer dereference bug in the open-source multimedia framework Gpac. Perfctl uses this vulnerability to escalate its privileges, attempting to gain root access. Though the bug was recently added to CISA’s Known Exploited Vulnerabilities catalog, it remains a target for this malware due to its ongoing exploitation in the wild.
Once Perfctl gains access, it spreads across the infected system, copying itself to multiple locations, and even drops modified Linux utilities, which act as userland rootkits. These utilities further cloak its operations and allow the cryptominer to run in the background unnoticed.
The Scope of the Attack
Perfctl's reach is broad, with Aqua Security identifying three download servers used in the attacks and a slew of compromised websites. The threat actors behind Perfctl use directory traversal fuzzing lists containing nearly 20,000 entries to search for exposed configuration files and secrets. This makes it clear that the attackers are not just relying on random vulnerabilities but are systematically searching for misconfigurations to exploit.
What Can Be Done?
The discovery of Perfctl highlights the importance of maintaining secure configurations on Linux servers and patching known vulnerabilities as soon as possible. System administrators should regularly audit their systems for unusual activity, especially during idle periods, and monitor for suspicious network traffic that could indicate the presence of a rootkit or cryptocurrency miner.
Given the sophisticated nature of Perfctl, traditional detection mechanisms may not be enough. Organizations should consider implementing advanced threat detection tools and monitoring solutions that can identify unusual patterns in server behavior, even if the malware is actively trying to hide.