Cybersecurity experts at Aqua Security have uncovered a sophisticated malware strain named “perfctl” that has been silently infiltrating poorly configured Linux servers for the past three years. This stealthy threat primarily focuses on deploying cryptocurrency miners and engaging in proxyjacking activities, potentially affecting millions of Linux servers worldwide.
Understanding the Perfctl Threat
Perfctl exhibits advanced evasion techniques, making it challenging to detect and remove. The malware’s name is derived from its attempt to blend in with legitimate Linux processes, combining “perf” (a reference to Linux performance monitoring tools) with “ctl” (a common suffix for command-line utilities).
Once installed, perfctl demonstrates remarkable adaptability:
- It immediately ceases all noticeable activity when a new user logs into the server
- The malware remains dormant until the server returns to an idle state
- After execution, it deletes its binary file and continues to operate quietly in the background as a service
Infection Vectors and Payload Deployment
The primary infection vectors for perfctl include:
- Misconfigured servers
- Exposed credentials (e.g., publicly accessible credential files)
- Open login interfaces
- Exploitation of known vulnerabilities, such as CVE-2023-33246 in Apache RocketMQ and CVE-2021-4034 (PwnKit) in Polkit
Upon gaining initial access, the malware deploys a packed and obfuscated payload named “httpd”. This payload copies itself to various system locations, ensuring persistence even if partially detected.
Advanced Evasion and Rootkit Deployment
Perfctl employs several sophisticated techniques to avoid detection:
- Opening a Unix socket for internal communications
- Establishing an encrypted communication channel with command and control servers via Tor
- Launching a rootkit (libgcwrap.so) that modifies authentication mechanisms and intercepts network traffic
- Installing additional rootkits that replace legitimate Linux utilities (ldd, top, crontab, lsof) with malicious versions
Cryptomining and Proxyjacking Activities
The primary payload of perfctl is twofold:
- Cryptomining: Deploying the XMRIG miner to mine Monero cryptocurrency using the infected server’s resources
- Proxyjacking: Stealing unused bandwidth from compromised systems and selling it through services like Bitping, Repocket, and Speedshare
Proxyjacking, a term coined analogously to cryptojacking, is particularly insidious as it only utilizes idle bandwidth, making it more challenging to detect than resource-intensive cryptomining operations.
Given the complexity of perfctl and its ability to modify legitimate Linux files, cybersecurity experts recommend a complete system wipe and reinstallation if infection is detected. To prevent such infections, server administrators should prioritize regular security audits, prompt patching of known vulnerabilities, and implementation of robust access controls and monitoring systems. As the threat landscape continues to evolve, maintaining vigilance and adopting a proactive approach to cybersecurity remains crucial for protecting Linux server environments.
