Researchers investigated the "perfctl malware," a Linux malware targeting misconfigurations and vulnerabilities on Linux servers. Perfctl employs rootkits, privilege escalation exploits, and cryptomining activities. It also uses tactics such as process masquerading and deleting binaries after execution, making detection and removal challenging.
Perfctl malware leverages a variety of techniques to maintain persistence and evade detection. One key technique is rootkit deployment, which hooks critical system functions and prevents logging and network monitoring, specifically through hooking to Libpcap and PAM functions. The malware hides its activities by stopping “noisy” operations when users are logged in and resuming once the system is idle. It exploits CVE-2021-4043 (Polkit) to escalate privileges, further embedding itself in compromised servers. The malware opens backdoors for TOR-based external communication and uses Unix sockets for internal communication.
Perfctl primarily focuses on resource hijacking, using cryptominers such as XMRIG to exhaust CPU resources. It also engages in proxy-jacking by exploiting misconfigured systems. The malware replaces common system utilities like ldd, lsof, and top with trojanized versions to hide its processes, further complicating detection efforts. Additionally, it drops binaries into directories like /tmp and /root under names that resemble legitimate system files, making it blend into the system.
The attack begins with the malware downloading its main payload, which is named deceptively (e.g., httpd) and uses process masquerading for evasion. The malware copies itself to multiple locations and obfuscates its presence by deleting its initial binary. It continues to monitor the system, logging data in /tmp/.xdiag and communicating via Unix sockets and TOR.