Perfctl Malware

A strain of threatening software has infected thousands of Linux-based systems. It stands out for its stealthy approach, the extensive range of misconfigurations it can exploit, and the wide array of harmful actions it can carry out.

First detected in 2021, this threat leverages over 20,000 commonly found misconfigurations to infiltrate systems, posing a risk to millions of Internet-connected devices. Additionally, it takes advantage of CVE-2023-33426, a critical vulnerability with a maximum severity score of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform widely used on Linux systems.

The Perfctl Malware Is Equipped with a Vast Array of Malevolent Capabilities

Perfctl derives its name from a malicious component that covertly mines cryptocurrency. The developers, whose identities remain unknown, combined the name of the Linux performance monitoring tool 'perf' with 'ctl,' a common abbreviation in command-line utilities. A notable feature of Perfctl is its use of process and file names that closely resemble those typically found in Linux environments, allowing it to evade detection by affected users.

To further conceal its presence, Perfctl employs various stealth tactics. Among these is the installation of many components as rootkits, a specific category of malware designed to hide from the operating system and administrative tools. Additional evasion strategies include:

• Stopping easily detectable activities upon new user logins
• Utilizing a Unix socket over TOR for external communication
• Deleting its installation binary after execution and subsequently running as a background service
• Manipulating the Linux process pcap_loop using a technique known as hooking to prevent administrative tools from recording malicious traffic
• Suppressing mesg errors to avoid visible alerts during execution.

Perfctl is engineered for persistence, allowing it to remain on infected machines even after reboots or attempts to eliminate core components. It achieves this through techniques such as modifying the ~/.profile script, which initializes the environment during user login, enabling the malware to load before legitimate server processes. It also copies itself to multiple disk locations from memory. The hooking of pcap_loop further enhances persistence by permitting unsafe activities to continue even after primary payloads have been detected and removed.

In addition to utilizing system resources to mine cryptocurrency, Perfctl transforms the infected machine into a profit-generating proxy, allowing paying customers to relay their internet traffic. Cybersecurity researchers have also noted that the malware functions as a backdoor for installing other malware families.

Attack Flow of the Perfctl Malware Infection

After taking advantage of a vulnerability or misconfiguration, the exploit code downloads the primary payload from a compromised server, which has been turned into an anonymous distribution channel for the malware. In the examined attack, the payload was named httpd. Upon execution, the file replicates itself from memory to a new location in the /temp directory, runs the copied version, terminates the original process, and deletes the downloaded binary.

Once relocated to the /tmp directory, the file executes under a different name that mimics a known Linux process, specifically named sh in this case. Subsequently, it establishes a local Command-and-Control (C2) process. It seeks to gain root system privileges by exploiting CVE-2021-4043, a privilege escalation vulnerability that was patched in 2021 within Gpac, a popular open-source multimedia framework.

The malware then copies itself from memory to several other disk locations, once again using names that resemble routine system files. It also deploys a rootkit along with a suite of commonly used Linux utilities that have been altered to function as rootkits, along with the mining component. In some instances, the malware installs software for "proxy-jacking," which refers to the covert routing of traffic through the infected machine, concealing the true origin of the data.

As part of its C2 operations, the malware opens a Unix socket, creates two directories within the /tmp directory, and stores operational data there. This data includes host events, the locations of its copies, process names, communication logs, tokens, and additional log information. Furthermore, it utilizes environment variables to store data that influences its execution and behavior.

All binaries are packed, stripped, and encrypted, demonstrating a solid commitment to evading security measures and complicating reverse engineering efforts. The malware employs advanced evasion tactics, such as pausing its activities when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain dominance over the infected system.

Perfctl Puts Tens of Thousands of Devices at Risk

By analyzing data on the number of Linux servers connected to the Internet across various services and applications, researchers estimate that thousands of machines are infected with Perfctl. Their findings indicate that the pool of vulnerable machines—those that have not yet applied the patch for CVE-2023-33426 or have misconfigurations—amounts to millions. However, the researchers have not yet assessed the total amount of cryptocurrency generated by the hurtful miners.

To check if their device has been targeted or infected by Perfctl, users should look for the identified indicators of compromise. Additionally, they should be vigilant for unusual spikes in CPU usage or unexpected system slowdowns, especially during idle periods.