Stealthy “Perfctl” Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Stealthy Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

A stealthy malware campaign targeting Linux servers has been identified by cybersecurity researchers, involving the deployment of “perfctl” malware designed to install a cryptocurrency miner and proxyjacking software. This sophisticated malware mimics legitimate system processes to avoid detection—using “perf” (a Linux performance monitoring tool) and “ctl” (as in systemctl)—and operates covertly by halting activity when users are active, resuming during idle times, and deleting its binary after execution. Exploiting a known vulnerability in Polkit (CVE-2021-4034) for privilege escalation, it gains root access to deploy a cryptocurrency miner called “perfcc.” The malware breaches Linux servers via vulnerable Apache RocketMQ instances, relocates itself to the “/tmp” directory, launches a new binary, and deletes the initial file to hide its presence. It also deploys a rootkit for evasion and may fetch proxyjacking software from remote servers. Indicators of compromise include specific IPv4 addresses (211.234.111.116, 46.101.139.173, 104.183.100.189, 98.211.126.180), domains like bitping.com, earn.fm, speedshare.app, and repocket.com, and MD5 hashes such as 656e22c65bf7c04d87b5afbe52b8d800. To mitigate this threat, organizations should apply security patches—especially for Polkit and Apache RocketMQ—disable unused services and restrict file execution, implement Role-Based Access Control (RBAC) to limit access to sensitive files, enforce network segmentation to limit the malware’s lateral movement, and monitor for CPU usage spikes or system slowdowns that may indicate crypto mining activity. These steps are essential to mitigate such advanced threats.

2. Active Exploitation of Critical Flaw in Zimbra Enables RCE Through Malicious Emails

Cybersecurity researchers have identified active exploitation of a critical remote code execution (RCE) vulnerability, designated CVE-2024-45519, in Zimbra email servers. Attackers can compromise systems simply by sending specially crafted emails that exploit the CC field to execute commands when processed by Zimbra’s postjournal service. By injecting base64-encoded commands into the CC field, attackers deploy a webshell on the compromised server, granting them full access to execute arbitrary commands, which can lead to data theft or internal network infiltration. This vulnerability affects unpatched versions of Zimbra 9.0, 10.x, and 8.8.15 and has led to widespread exploitation shortly after a proof-of-concept exploit was released. To mitigate this threat, organizations should immediately apply the latest security patches—upgrading to Zimbra 9.0.0 Patch 41 or later, Zimbra 10.0.9 and 10.1.1, or Zimbra 8.8.15 Patch 46 or later. If the postjournal service is not required, it should be disabled to prevent exploitation. Administrators must ensure that ‘mynetworks’ is correctly configured to block unauthorized access and monitor for any unusual email activities, especially those involving the CC field. Prompt action is essential to protect against this critical vulnerability and prevent potential system compromise. These measures are critical to defending against such sophisticated attacks.

3. Unveiling Cyber Intrusion with Attackers Using VS Code for Remote Access

Cybersecurity researchers have uncovered a sophisticated cyber-attack exploiting legitimate tools like Visual Studio (VS) Code and GitHub through a malicious .LNK file, likely delivered via phishing or spam emails. Disguised as an MSI installer, the .LNK file executes a fake “Successful installation” message while covertly downloading additional components using curl. It installs a Python distribution, creates directories in %LOCALAPPDATA%MicrosoftPython, and extracts a zip archive to set up the environment. The malware then downloads a malicious script from a Paste.ee URL, executes it silently with pythonw.exe, and checks for VSCode installation. If absent, it installs the VSCode CLI to enable remote interactions. To ensure persistence, it creates a scheduled task named MicrosoftHealthcareMonitorNode that runs the script periodically. The script establishes remote tunnels linked to the attacker’s GitHub account, enabling data exfiltration and unauthorized access. Indicators of compromise include specific MD5 hashes and malicious URLs such as hxxps://paste[.]ee/r/DQjrd/0 and hxxp://requestrepo.com/r/2yxp98b3. To mitigate this threat, organizations should implement file integrity monitoring, strengthen endpoint security, monitor network traffic for unusual activities, restrict the use of remote access tools, enforce multi-factor authentication, audit scheduled tasks, and deploy application whitelisting to prevent unauthorized program execution.

4. Python Packages Poisoned with PondRAT Malware Target Software Developers

Cybersecurity researchers have discovered a new variant of the RomCom malware, named SnipBot, targeting industries like IT services, legal, and agriculture to infiltrate networks and exfiltrate sensitive data. SnipBot (RomCom 5.0) builds on previous capabilities, adding 27 new commands for enhanced data exfiltration and control. It compresses stolen data using the 7-Zip tool and introduces new payloads to evade detection. SnipBot employs advanced anti-sandboxing techniques, verifying hash values of executables and checking registry keys for specific entries. The primary module, “single.dll,” is encrypted in the Windows Registry and loaded directly into memory for stealth.

The malware spreads through phishing emails containing malicious links, which redirect victims to compromised sites for downloading harmful executables. Once inside, SnipBot injects itself into “explorer.exe” for persistence and uses the AD Explorer utility to gather intelligence about the Active Directory (AD). Stolen data is archived with WinRAR and exfiltrated using the PuTTY Secure Copy client.

To mitigate this threat, organizations should strengthen email security, implement network segmentation, use Endpoint Detection and Response (EDR) solutions, monitor the Windows Registry and memory for suspicious changes, stay updated with the latest threat intelligence, and ensure systems are regularly patched and updated to prevent exploitation.

5. Storm-0501 Emerges as a Major Ransomware Threat in Hybrid Cloud Environments

The threat actor known as Storm-0501 has been targeting government, manufacturing, transportation, and law enforcement sectors in the U.S. as part of a ransomware campaign that infiltrates hybrid cloud environments. The multi-stage attack starts by exploiting weak credentials and leveraging privileged accounts to gain access to on-premises systems and then moving laterally to cloud environments. Storm-0501 uses stolen or purchased credentials and exploits vulnerabilities such as CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and potentially CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016) to gain entry. Once inside, they use tools like Impacket and Cobalt Strike for lateral movement and data exfiltration through a custom Rclone binary disguised as a legitimate Windows tool. Stolen Microsoft Entra ID credentials are used to bypass security controls and escalate privileges in the cloud environment.

The attackers establish persistence by creating new federated domains within the Microsoft Entra tenant and deploy Embargo ransomware using compromised high-privilege accounts like Domain Admins. Ransomware deployment is often carried out via scheduled tasks or Group Policy Objects (GPOs), but in some cases, Storm-0501 maintains prolonged access without immediate encryption, focusing on persistence and further exploitation. To mitigate these threats, organizations should enforce strong credential security, apply patches promptly, implement network segmentation, secure Microsoft Entra Connect Sync accounts, and deploy EDR solutions to detect malicious activities. Regularly backing up critical systems and testing recovery plans are also essential to minimize the impact of ransomware attacks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories