Aqua Nautilus has identified the primary function of the malware known as perfctl as a tool for cryptomining, specifically targeting the Monero cryptocurrency, which is known for its anonymity. While its main purpose is cryptomining, the researchers warn that perfctl can also be leveraged for more harmful activities, potentially compromising systems further than mere resource theft.
The infection chain reveals that the malware exploits misconfigurations and exposed secrets within Linux servers, gaining initial access through vulnerable setups, such as publicly accessible files containing sensitive credentials and exposed login interfaces.
The attack methodology employed by perfctl involves the exploitation of known vulnerabilities in widely used software. For example, Aqua Nautilus has reported instances of exploitation concerning CVE-2023-33246, a remote command execution vulnerability affecting older versions of Apache RocketMQ, and CVE-2021-4034 (known as PwnKit), which allows for privilege escalation within the Polkit framework.
Once access is achieved, the attackers download a packed and obfuscated payload named “httpd,” which masquerades as a legitimate system process. This payload is subsequently copied to various system directories to ensure persistence, even if the original binary is deleted.
Perfctl Malware Exploits Linux Vulnerabilities for Monero Cryptomining, Hides Activity Using Rootkit and TOR
Upon execution, the malware establishes an encrypted communication channel with the attackers’ servers over the TOR network, obscuring its activities from detection. As part of its operational capabilities, perfctl deploys a rootkit named ‘libgcwrap.so,’ which modifies system functions to evade detection and intercept network traffic.
The malware also replaces critical system utilities like ldd, top, crontab, and lsof with trojanized versions to further conceal its presence. This sophisticated evasion strategy allows the cryptominer to run undetected while it utilizes the compromised server’s CPU resources for mining Monero.
The XMRIG miner is executed as part of the main operation, allowing the malware to connect to mining pools via TOR, effectively hiding the network traffic and making it difficult to trace any profits generated from the mining activities.
In addition to cryptomining, Aqua Nautilus has observed the deployment of proxy-jacking software, which enables attackers to monetize unused network bandwidth by selling it through services like Bitping and Repocket.
Many users first become aware of the infection due to unexpected spikes in CPU usage, often reaching 100%, which can be alarming but is masked by the malware’s ability to halt its operations when users log into the server.
The malware’s design makes it highly evasive, pausing its activities upon user login and resuming only when the server is idle. This behavior can lead to difficulties in detection, as users might assume their servers are functioning normally until performance issues arise.
Some users have reported that their monitoring setups alerted them to high CPU utilization, but the malware cleverly avoids detection during active user sessions. The use of rootkits further complicates the removal process, as they can hide the presence of malicious processes, often necessitating the use of advanced techniques to inspect and clean infected systems.
To combat the perfctl threat, Aqua Nautilus recommends a multifaceted approach that encompasses system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation strategies.
Key detection strategies include regularly inspecting directories for suspicious files, monitoring CPU usage for anomalies, scrutinizing configuration files for unauthorized changes, and capturing network traffic to identify TOR-based connections to external IPs. System administrators are urged to patch known vulnerabilities, disable unused HTTP services, implement role-based access controls, and apply security measures such as the ‘noexec’ option to sensitive directories to reduce the risk of future infections.
