Recently, researchers from Aqua Security discovered a campaign targeting vulnerable Linux servers using hidden malicious software called Perfctl. The main purpose of this program is to utilize compromised servers’ resources for clandestine cryptocurrency mining and proxy hacking.
Perfctl is known for its high level of secrecy and stability achieved through sophisticated methods. Researchers ASSAF MORG and Idan Revivoro observed that when a new user accesses the server, the malicious software ceases “noisy” activities and enters sleep mode until the server becomes inactive. Once activated, it deletes its binary file and continues to operate covertly as a system service.
Some aspects of this attack were previously identified by Cado Security, which uncovered a campaign targeting publicly-accessible servers for mining and proxy hijacking.
A notable feature of PerfCTL is its exploitation of a vulnerability in polkit (CVE-2021-4043, also known as pwnkit), enabling the escalation of Root privileges to introduce a miner named PerfCC. The deliberate choice of the name “PerfCTL” aims to masquerade as legitimate system processes, with “Perf” associated with a Linux performance monitoring tool and “CTL” commonly used in various command utilities.
The attack begins with the infiltration of a Linux server through a vulnerable version of Apache Rocketmq, with the malicious file loaded under the guise of “HTTPD”. Once initiated, it replicates itself to the “/TMP” directory, deletes the original binary file, and carries out its operations from the new location.
Furthermore, PerfCTL disguises itself as benign processes, establishes a rootkit to evade defenses, and deploys the mining payload. In certain instances, the software is leveraged for remote proxy hijacking.
To safeguard against PerfCTL, it is advised to regularly update systems and software, restrict file execution, deactivate unused services, implement network segmentation, and employ access control models (RBAC) to limit access to critical files.
Researchers highlight that the presence of PerfCTL may be detected by abrupt spikes in CPU usage or system slowdowns, particularly indicative