A stealthy Linux malware known as “perfctl” has been targeting servers and workstations for at least three years, evading detection through sophisticated evasion tactics and the use of rootkits.
According to researchers at Aqua Nautilus, who discovered the malware, perfctl has likely infected millions of Linux systems in recent years, with thousands of victims reporting indicators of compromise linked to the malware.
The primary purpose of perfctl is cryptomining - using the compromised systems to mine the privacy-focused Monero cryptocurrency. However, the malware’s capabilities could easily be leveraged for more damaging operations.
Perfctl’s Infection Chain
Aqua Nautilus believes the threat actors behind perfctl exploit misconfigurations or exposed secrets to gain initial access to Linux servers. This includes publicly accessible files containing credentials or exposed login interfaces.
The researchers have also observed the malware exploiting vulnerabilities like CVE-2023-33246, a remote code execution flaw in Apache RocketMQ, and CVE-2021-4034 (PwnKit), an elevation of privilege bug in Polkit.
Once access is established, the malware’s packed and obfuscated payload, dubbed “httpd,” is downloaded and executed. It then copies itself to various system locations, including “/tmp,” “/root/.config,” and “/usr/bin,” to ensure persistence.
Evasion and Cryptomining Operations
When launched, perfctl opens a Unix socket for internal communications and establishes an encrypted TOR-based channel with the attackers’ servers, making the traffic impossible to decipher.
The malware then drops a rootkit named “libgcwrap.so” that hooks into system functions to modify authentication mechanisms and intercept network traffic, facilitating evasion.
Additional userland rootkits are also deployed, replacing common Linux utilities like “ldd,” “top,” “crontab,” and “lsof” with trojanized versions, further obscuring the malware’s activities.
Finally, an XMRIG cryptominer is executed to mine Monero using the system’s CPU resources. The miner communicates with mining pools over TOR to obfuscate the network traffic and profits.
In some cases, Aqua Nautilus has observed the deployment of proxy-jacking software, allowing the attackers to monetize the infected systems’ unused network bandwidth.
The malware is highly evasive, stopping the cryptomining immediately when a user logs into the system and resuming once the server is idle again. This, combined with the use of rootkits, makes it challenging to detect and remove.
Detecting and Mitigating Perfctl
It has been recommended several detection and mitigation strategies, including:
- Regularly inspecting suspicious files in “/tmp,” “/usr,” and “/root”
- Monitoring CPU usage and processes like “httpd” and “sh” running from unexpected locations
- Scrutinizing system configuration files for unauthorized modifications
- Analyzing network traffic for TOR connections and outbound traffic to mining pools
- Patching vulnerabilities like CVE-2023-33246 and CVE-2021-4034
- Disabling unused HTTP services and applying the “noexec” option to critical directories
As the malware modifies and replaces legitimate Linux files, the best solution is often to wipe and reinstall the affected systems to ensure no remnants of the infection remain.
The widespread and long-running nature of the perfctl campaign underscores the need for vigilance and proactive security measures to protect Linux environments from this stealthy cryptomining threat.