Near-'perfctl' Fileless Malware Targets Millions of Linux Servers

A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.

It's been some time now that individuals in the US and Russia, Germany and Indonesia, Korea, China, Spain, and most everywhere in between have been reporting cases of "perfctl" (aka perfcc) eating up all their compute power.

"We've seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don't know, I'm trying to kill it,'" Aqua Nautilus chief researcher Assaf Morag recalls. "There are a lot of articles describing how you kill perfctl, but people can't kill it because it keeps hiding itself, and it's very persistent."

The malware looks for vulnerabilities and misconfigurations to exploit in order to gain initial access. To date, Aqua Nautilus reported today, the malware has likely targeted millions of Linux servers, and compromised thousands. Any Linux server connected to the Internet is in its sights, so any server that hasn't already encountered perfctl is at risk.

Related:Dark Reading News Desk Live From Black Hat USA 2024

And, Morag warns, its ambitions don't necessarily end with cryptomining and proxyjacking. Though not recorded in his report, Morag has observed the malware dropping TruffleHog, a legitimate penetration testing tool designed to snuff out hardcoded secrets in source code.

"So imagine: They're earning money on the side [by cryptomining and proxyjacking], but also stealing secrets and maybe selling them in the cyber underground — selling access to servers that are related to big companies," he posits.

Every Misconfiguration in the Book

The volume and variety of potential server misconfigurations that perfctl is capable of identifying and exploiting is vast.

By tracking its infections, researchers identified three Web servers belonging to the threat actor: two that were previously compromised in prior attacks, and a third likely set up and owned by the threat actor. One of the compromised servers was used as the primary base for malware deployment. The other compromised server contained a much more interesting find: a list of potential avenues to directory traversal, nearly 20,000 entries long.

The list contained more than 12,000 known server misconfigurations, nearly 2,000 paths towards nabbing unauthorized credentials, tokens, and keys, more than 1,000 techniques for unauthorized login, and dozens of possible misconfigurations in different applications (68, for example, associated just with Apache RocketMQ, the open source distributed messaging and streaming platform). Citing just a few examples, Morag explains that "if you have an HTTP server, maybe you expose a template. In Kubernetes, by mistake, you could expose secrets, or roles. Or even a weak password can be a misconfiguration."

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

Alongside this fuzzing list on the compromised server were follow-on files containing exploits for the various kinds of documented misconfigurations.

Besides misconfigurations, perfctl is also capable of gaining initial access to a server via various bugs, such as CVE-2023-33246, a remote command execution (RCE) vulnerability in Apache RocketMQ. CVE-2023-33246 earned a "critical" 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) last year.

How perfctl Hides Loud Activity

Cryptomining and proxyjacking are loud by nature. Whether it be third-party proxyware or the XMRig Monero miner, the programs that perfctl drops onto a compromised server will exhaust its CPU resources. And yet, perfctl itself is not easy to spot or excise, thanks to its layers of sophisticated stealth and persistence mechanisms.

Related:LockBit Associates Arrested, Evil Corp Bigwig Outed

For example, to facilitate stealthy communication, the program drops a backdoor and listens for communications via Tor. And to avoid detection and obscure evidence of its presence, it uses process masquerading, copying itself to various locations under names that map to legitimate system processes.

The very name its authors gave to it, "perfctl," is evidence of the same sort of tactic: "perf" is a Linux monitoring tool, and "ctl" is commonly used as a suffix for command line tools which control system components or services. The legitimate-looking name of the malware, then, allows it to more easily blend in with typical processes.

And then, after executing, perfctl deletes its binary but continues to run as a service behind the scenes.

To further hide its presence and malicious activities from security software and researcher scrutiny, it deploys a few Linux utilities repurposed into user-level rootkits, as well as one kernel-level rootkit. The kernel rootkit is especially powerful, hooking into various system functions to modify their functionality, effectively manipulating network traffic, undermining Pluggable Authentication Modules (PAM), establishing persistence even after primary payloads are detected and removed, or stealthily exfiltrating data.

And when a user logs in to the compromised server, perfctl instantly halts its noisiest behaviors, laying low until the user logs off and the coast is clear.

In short, "it's a powerful tool," Morag says. "You can decide to erase data, to steal data, to buy cryptocurrency, to do proxyjacking — it's up to the attacker."

Mitigation for perfctl & Other Fileless Malware

Those running Linux servers should take immediate steps to protect their environments, researchers warned. Aqua recommends the following mitigations for perfctl and similar threats: