Beware of New Crypto Malware Targeting Linux: Perfctl

Beware of New Crypto Malware Targeting Linux: Perfctl

A new and dangerous malware, called Perfctl, has been infecting thousands of Linux machines. This malware, identified by security researchers from Aqua Security, is hard to detect, highly persistent, and capable of performing various malicious activities, making it a significant threat to servers and organizations. Here’s what you need to know about Perfctl and how to protect your systems.

What is Perfctl?

Perfctl is a form of crypto malware that secretly uses infected machines to mine cryptocurrency. It first surfaced around 2021 and spreads by exploiting misconfigurations on servers—over 20,000 different misconfigurations, making millions of Linux systems potential targets. It can also exploit CVE-2023-33426, a critical vulnerability in Apache RocketMQ, which has a severity score of 10/10. Despite being patched, many systems remain vulnerable.

How Perfctl Evades Detection

One of the malware's key tactics is its ability to hide in plain sight. It uses common Linux process names and file names that seem legitimate to avoid being noticed. For example, it names itself after Linux system tools like perf (a Linux performance monitoring tool) to blend in. Additionally, it employs a rootkit, allowing it to hide from system tools and administrators. Other techniques include:

• Stopping operations when someone logs in, restarting when the user logs out.
• Deleting its binary after installation, ensuring it runs in the background without leaving obvious traces.
• Using TOR for external communications to anonymize its traffic.

Persistence After Reboots

Perfctl is particularly dangerous because of its persistence—it doesn’t go away after a reboot. It can:

• Modify the ~/.profile file, which runs at user login, so it loads before legitimate workloads.
• Copy itself to multiple locations on the disk to prevent complete removal.

Even if administrators manage to detect and remove parts of the malware, Perfctl can respawn and continue its malicious activities.

What Does Perfctl Do?

Perfctl's main function is cryptomining, meaning it hijacks the machine’s resources to mine cryptocurrency for the attackers. But that’s not all. It also:

• Turns infected machines into proxy servers, allowing paying customers to relay internet traffic through them.
• Installs other malware that can perform different malicious activities, such as data theft or deploying additional payloads.

Real-World Impact

Administrators have reported a rise in servers infected by Perfctl. In one case, an admin noticed the infection due to 100% CPU usage, but when they logged in, the malware stopped running, only to restart once they logged out. Despite efforts to remove it, the malware kept coming back after each reboot. This persistence makes it extremely frustrating and dangerous for system administrators.

How to Protect Your Systems

Here’s how you can minimize the risk of getting infected by Perfctl:

1. Patch your systems regularly. Make sure your Linux servers are up-to-date, particularly with patches related to CVE-2023-33426 and other known vulnerabilities.
2. Review system configurations to avoid the misconfigurations that Perfctl exploits.
3. Monitor your CPU usage. Sudden spikes in CPU usage might indicate a cryptominer like Perfctl is at work.
4. Be cautious with root access. Perfctl uses root privileges to install itself, so limit access to trusted users only.
5. Consider reinstalling the OS. If you suspect a machine is compromised, it might be best to wipe the system and reinstall it, as Perfctl is designed to be hard to fully remove.

In summary, Perfctl is a sophisticated malware targeting Linux servers. It hides its activities, persists after reboots, and can be used for cryptomining, proxy-jacking, and further malware installations. Protect your systems by staying up-to-date with patches, reviewing configurations, and monitoring system resources.

Files and Directories Added by the Malware:

The malware adds several files, directories, and cron jobs to the infected system to ensure its persistence and stealth.

The cron job is located at /root/.config/cron/perfcc. This cron job runs every hour (on the 11th minute) to execute the cryptomining malware.

Several files are added by the malware. The main executable is found at /usr/bin/perfcc, which is likely the core of the malware. Another instance of the same file is stored at /root/.config/cron/perfcc, which is linked to the cron job for automatic execution. Additionally, the malware places files in the system’s cron directories to ensure persistence. These include /etc/cron.d/perfclean and /etc/cron.d/perfcc.

To further its stealth capabilities, the malware modifies critical system utilities with malicious shell scripts. For example, the ps command (used to display running processes) is replaced with a script located at /usr/bin/.local/bin/ps. This modified version of ps filters out any processes related to the malware (e.g., perfctl), hiding its presence from the system administrator. Similarly, the top command (used to monitor system processes) is replaced with a script at /usr/bin/.local/bin/top. This modified script hides the malware from the process viewer while also killing its activity under certain conditions using environmental variables.

The malware ensures it is automatically loaded during user login by modifying the .profile file in the user’s home directory (~/.profile). This modification ensures that the malware is executed before any legitimate workloads, making it difficult to detect and remove.

Additionally, Perfctl installs itself as a systemd service to ensure it runs at every system reboot. The fake systemd service is named kmodaudit.service, and it can be found at /etc/systemd/system/kmodaudit.service. This service uses deceptive names, such as "Kernel module perf audit and reporting," but its purpose is to execute the malware from /bin/perfcc.

The malware also creates directories in the /tmp folder to store temporary files and executables used in its operations. Two key directories are /tmp/dxdiag and /tmp/perfc. Inside the /tmp/perfc directory, an executable named "sh" is used as part of the malware’s payload, further disguising its activities by mimicking legitimate Linux processes.

How the Malware Operates on a Technical Level

Perfctl malware employs several sophisticated techniques to ensure it remains hidden, persistent, and difficult to remove. Here’s how it operates:

1. Installation and Persistence

• Cron Jobs: The malware adds a cron job to execute itself at regular intervals, ensuring persistence even if parts of the malware are terminated. By adding entries to cron directories like etc/cron.d, the malware can relaunch itself every hour, executing the binary stored at /root/.config/cron/perfcc.
• Systemd Service: It installs itself as a systemd service (kmodaudit.service), meaning it will be executed automatically upon system reboot. This service uses the malicious binary /bin/perfcc disguised as a kernel audit process.

2. Hiding in Plain Sight

• File Names: The malware is cleverly named after legitimate-looking Linux processes (e.g., perfctl), blending into typical system process names, making it harder to detect.
• Process Hiding: The malware replaces essential system utilities like ps and top with modified versions that specifically exclude any process related to perfctl or perfcc. This prevents system administrators from seeing the malware in common system monitoring commands.
• Use of Hooks: By hooking into system utilities like pcap_loop, the malware manipulates how data is captured and logged by network monitoring tools. This allows it to hide network traffic generated by the malware, making it even more difficult to detect.

3. Execution and Communication

• Execution of Payload: Upon successful infection, the malware creates directories like /tmp/perfc and places executable payloads (like sh) that impersonate known Linux binaries. These payloads are then run in the background as part of its cryptomining operations.
• External Communications: Perfctl uses a Unix socket over the TOR network to communicate with its command-and-control (C2) servers. This adds an additional layer of stealth, as TOR anonymizes the traffic, making it challenging to trace the malware’s origin and control.

4. CPU Hijacking for Cryptomining

• Resource Consumption: One of the most noticeable effects of Perfctl is that it uses system resources (e.g., CPU) for cryptomining. Admins typically notice this due to 100% CPU usage. However, the malware is programmed to stop its activities when it detects a user logging in via SSH or console, resuming once the user logs out.

5. Self-Repair Mechanism

• Resilience: Even if the malware is removed, it has mechanisms in place to restore itself. By hiding copies of itself in multiple locations, such as system directories or using memory persistence tricks, it ensures that if one part is deleted, other parts remain functional, allowing it to respawn after a reboot or log out.
• Obfuscation: The malware also modifies system files, such as the ~/.profile, to load itself during login, increasing the chance of reinfection if only parts of the malware are removed.

6. Use of Privilege Escalation

• Perfctl also attempts to escalate its privileges by exploiting known vulnerabilities, such as CVE-2021-4043, a vulnerability in the GPAC multimedia framework, giving it root access and full control over the system. This enables it to modify critical system files and services undetected.

In summary, Perfctl combines persistence, stealth, and adaptability, making it highly effective at evading detection while it mines cryptocurrency and operates as a backdoor for other malicious activities. It is considered over the web that the malware is probably developed or was part of malware developed by state security agencies or leaked tools of NSA (Shadowbrokers leaks, 2016 - https://en.wikipedia.org/wiki/The_Shadow_Brokers)

#LinuxSecurity #MalwareAlert #CyberSecurity #Perfctl #CryptoMining #InfoSec #LinuxServers #ThreatDetection #Rootkits #SystemSecurity #CyberThreats #ServerSecurity #LinuxVulnerabilities #PersistenceThreats #Cryptojacking