Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
A hidden threat lurks in the bowels of your operating system.
Recently, researchers from Aqua Security discovered a campaign to attack vulnerable Linux servers with a hidden piece of malware called perfctl. The main goal of this program is to use the resources of compromised servers for stealthy cryptocurrency mining and proxy hacking.
Perfctl is characterized by a high degree of stealth and stability due to the use of a number of advanced techniques. As researchers Assaf Morag and Idan Revivo note, when a new user logs in to the server, the malware stops its "noisy" actions and goes into hibernation mode until the server becomes inactive. Once launched, the malware deletes its binary file and continues to run in the background as a system service.
Some aspects of this attack have previously been identified by Cado Security, which discovered a campaign to attack Selenium Grid instances open on the Internet for cryptojacking and proxy jacking purposes.
The peculiarity of perfctl is to exploit a vulnerability in Polkit (CVE-2021-4043, also known as PwnKit), which allows elevation to root and inject a miner called perfcc. The name "perfctl" is intentional to masquerade as legitimate system processes, as "perf" is associated with a Linux performance monitoring tool, and "ctl" is often used in various command tools.
The attack begins by hacking a Linux server through a vulnerable instance of Apache RocketMQ, where a malicious file named "httpd" is downloaded. Once launched, it copies itself to the new "/tmp" directory, deletes the original binary, and continues its activities in the new location.
In addition, perfctl disguises itself as harmless processes, creates a rootkit to bypass defense mechanisms, and injects a miner's payload. In some cases, proxy hacking software is downloaded and executed from a remote server.
To protect against perfctl, we recommend that you keep your systems and software up to date, restrict file execution, disable unused services, apply network segmentation, and use role-based access control (RBAC) models to restrict access to critical files.
The researchers emphasize that the presence of perfctl can be detected by unexpected spikes in CPU usage or system slowdowns, which is especially typical for rootkit injections and active mining during server downtime.
Source
Recently, researchers from Aqua Security discovered a campaign to attack vulnerable Linux servers with a hidden piece of malware called perfctl. The main goal of this program is to use the resources of compromised servers for stealthy cryptocurrency mining and proxy hacking.
Perfctl is characterized by a high degree of stealth and stability due to the use of a number of advanced techniques. As researchers Assaf Morag and Idan Revivo note, when a new user logs in to the server, the malware stops its "noisy" actions and goes into hibernation mode until the server becomes inactive. Once launched, the malware deletes its binary file and continues to run in the background as a system service.
Some aspects of this attack have previously been identified by Cado Security, which discovered a campaign to attack Selenium Grid instances open on the Internet for cryptojacking and proxy jacking purposes.
The peculiarity of perfctl is to exploit a vulnerability in Polkit (CVE-2021-4043, also known as PwnKit), which allows elevation to root and inject a miner called perfcc. The name "perfctl" is intentional to masquerade as legitimate system processes, as "perf" is associated with a Linux performance monitoring tool, and "ctl" is often used in various command tools.
The attack begins by hacking a Linux server through a vulnerable instance of Apache RocketMQ, where a malicious file named "httpd" is downloaded. Once launched, it copies itself to the new "/tmp" directory, deletes the original binary, and continues its activities in the new location.
In addition, perfctl disguises itself as harmless processes, creates a rootkit to bypass defense mechanisms, and injects a miner's payload. In some cases, proxy hacking software is downloaded and executed from a remote server.
To protect against perfctl, we recommend that you keep your systems and software up to date, restrict file execution, disable unused services, apply network segmentation, and use role-based access control (RBAC) models to restrict access to critical files.
The researchers emphasize that the presence of perfctl can be detected by unexpected spikes in CPU usage or system slowdowns, which is especially typical for rootkit injections and active mining during server downtime.
Source
