Researchers at Aqua Security are raising the alarm for a newly discovered malware family targeting Linux systems to establish persistent access and hijack resources for cryptocurrency mining.
The malware, called perfctl, appears to exploit over 20,000 types of misconfigurations and known vulnerabilities, and has been active for more than three years.
Focused on evasion and persistence, Aqua Security discovered that perfctl uses a rootkit to hide itself on compromised systems, runs on the background as a service, is only active while the machine is idle, relies on a Unix socket and Tor for communication, creates a backdoor on the infected server, and attempts to escalate privileges.
The malware’s operators have been observed deploying additional tools for reconnaissance, deploying proxy-jacking software, and dropping a cryptocurrency miner.
The attack chain begins with the exploitation of a vulnerability or misconfiguration, after which the payload is deployed from a remote HTTP server and executed. Next, it copies itself to the temp directory, kills the original process and removes the initial binary, and executes from the new location.
The payload contains an exploit for CVE-2021-4043, a medium-severity Null pointer dereference bug in the open source multimedia framework Gpac, which it executes in an attempt to gain root privileges. The bug was recently added to CISA’s Known Exploited Vulnerabilities catalog.
The malware was also seen copying itself to multiple other locations on the systems, dropping a rootkit and popular Linux utilities modified to work as userland rootkits, along with the cryptominer.
It opens a Unix socket to handle local communications, and utilizes the Tor anonymity network for external command-and-control (C&C) communication.
“All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts,” Aqua Security added.
In addition, the malware monitors specific files and, if it detects that a user has logged in, it suspends its activity to hide its presence. It also ensures that user-specific configurations are executed in Bash environments, to maintain normal server operations while running.
For persistence, perfctl modifies a script to ensure it is executed before the legitimate workload that should be running on the server. It also attempts to terminate the processes of other malware it may identify on the infected machine.
The deployed rootkit hooks various functions and modifies their functionality, including making changes that enable “unauthorized actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behavior of authentication mechanisms,” Aqua Security said.
The cybersecurity firm has identified three download servers associated with the attacks, along with several websites likely compromised by the threat actors, which led to the discovery of artifacts used in the exploitation of vulnerable or misconfigured Linux servers.
“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company said.
Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers
Related: New ‘RDStealer’ Malware Targets RDP Connections
Related: When It Comes to Security, Don’t Overlook Linux Systems
