Type
Campaign
Actors
Unknown
Pub. date
October 21, 2024
Initial access
Software misconfig
Impact
Resource hijacking
Observed tools
perfctl
Targeted technologies
Docker
References
https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html
Status
Finalized
Last edited
Jan 8, 2025 1:42 PM
Attackers are exploiting exposed Docker Remote API servers to deploy a new malware strain named "perfctl." This malware is designed to mine cryptocurrency and can evade detection by disabling security features and establishing persistence on compromised systems. The attackers scan for Docker servers with exposed APIs, create privileged containers, and then execute the perfctl malware within these containers. Once active, perfctl can disable security tools, modify system configurations, and utilize system resources for cryptocurrency mining, leading to degraded performance and potential security breaches.