Linux systems targeted with stealthy “Perfctl” cryptomining malware
Thousands of Linux systems are likely infected with the highly elusive and persistent “perfctl” (or “perfcc“) cryptomining malware and many others still could be at risk of getting compromised, Aqua Security researchers revealed last week.
“In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software,” they shared.
“Perfctl” malware
Though the actual cryptomining is performed by XMRIG Monero cryptomining software, the name of the malware – perfctl – was derived from the name of the cryptominer process established on affected systems. (This process was repeatedly referenced by affected users, who have been looking for remediation advice on online forums for years.)
“By combining ‘perf’ (a Linux performance monitoring tool) with ‘ctl’ (commonly used to indicate control in command-line tools), the malware authors crafted a name that appears legitimate. This makes it easier for users or administrators to overlook during initial investigations, as it blends in with typical system processes,” the researchers explained.
The threat actor is installing the malware either by exploiting known vulnerabilities (e.g., RocketMQ) or 20,000 types of misconfigurations (e.g., lack of authentication in the default configuration of Selenium Grid).
The initial downloaded payload – the installation binary that’s effectively a multipurpose malware-dropper – copies itself from memory to a new location in the /tmp directory and runs the new binary from there. The original process and binary are terminated/deleted, and the new one functions as a dropper and a local command-and-control (C2) process.
The “perfctl” attack flow (Source: Aqua Security)
The malware:
- Contains and uses an exploit to CVE-2021-4034 (aka PwnKit) to attempt to gain full root privileges
- Modifies existing scripts to ensure execution of the malware and suppression of mesg errors (that might point to malicious execution), and drops a binary that verifies the execution of main payload
- Copies itself from memory to half a dozen other locations (with file names that mimic the names of conventional system files)
- Drops a rootkit to hide its presence and assure persistence, alter network traffic, etc.
- Drops several trojanized Linux utilities to hide specific attack elements (e.g., cron jobs created during the attack, cryptominer’s CPU consumption, malicious libraries and dependencies used by the malware), to prevent developers or security engineers from poinpointing what is attacking the machine
- Uses a Unix socket over TOR for external communications
- Drops and executes the XMRIG cryptominer and, occasionally, proxy-jacking software (roping the machine into a proxy network)
Another interesting thing about this malware is that it lays low – i.e., it stops all cryptomining activity – when a new user logs into the server – as noted by affected users.
Detection, removal, and mitigations
When it comes to cryptojacking, the longer the attackers manage to keep the compromise hidden from the user, the more money they will ultimately “earn”.
This is why the attackers went to great lengths to achieve stealth and persistence.
And while some users might not be too bothered by their system(s) being used for cryptomining or proxying for a while, they should reconsider their stance as the danger might be bigger that they thought.
“[We] have also observed the malware serving as a backdoor to install other families of malware,” the researchers noted.
Spotting “perfctl” malware on your system can be achieved through inspection of directories, processes, system logs and network traffic. Aqua has shared indicators of compromise and risk mitigation advice for users and admins of Linux systems.