Ethical Hacking News
The discovery of the perfctl malware highlights the importance of maintaining a secure Linux environment and the need for organizations to stay vigilant in detecting potential security breaches.
The perfctl malware has been targeting misconfigured Linux servers over the past three to four years. The malware deploys cryptocurrency miners and proxyjacking software, compromising system security. The perfctl malware uses rootkits to conceal its presence on infected systems. Experts warn that the malware also executes proxyjacking software for reconnaissance purposes. The malware downloads a payload from an attacker-controlled HTTP server and employs persistence and evasion techniques. The malware attempts to exploit the Polkit vulnerability CVE-2021-4043 for root access. Regular security audits and patching of vulnerable systems are crucial to prevent such attacks.
A recent discovery by Aqua Nautilus researchers has shed light on a sophisticated Linux malware, dubbed perfctl malware, that has been targeting misconfigured Linux servers over the past three to four years. The malicious code is designed to deploy cryptocurrency miners and proxyjacking software, compromising the security of affected systems and putting them at risk of being hijacked by attackers.
The perfctl malware is an elusive and persistent threat, employing rootkits to conceal its presence on infected systems. It operates in the background as a service, using a Unix socket internally and Tor externally for communication. Upon execution, the malware deletes its binary and operates in the background, making it challenging for security researchers to detect and remove.
Despite its primary goal of running cryptominers, experts warn that perfctl malware also executes proxyjacking software. In one sandbox test, a threat actor accessed the malware's backdoor for reconnaissance purposes, analyzing the server and deploying utilities to investigate its environment and better understand how their malware was being studied.
Once attackers exploited a vulnerability or misconfiguration on an affected system, the perfctl malware downloads the main payload from an attacker-controlled HTTP server. The payload employs multiple layers to ensure persistence and evade detection, moving itself to the /tmp directory, renaming itself after the process that executed it (e.g., sh), and deleting the original binary to cover its tracks.
The malware acts as both a dropper and a local command-and-control (C2) process, attempting to exploit the Polkit vulnerability CVE-2021-4043 (aka PwnKit) for root access. It copies itself to various disk locations using deceptive names, establishes a backdoor on the system for Tor communications, and drops a rootkit alongside modified Linux utilities that function as user-land rootkits.
The Linux malware is packed and encrypted to evade detection, employing advanced evasion techniques like halting activity when detecting new users, the malicious code could also terminate competing malware to maintain exclusive access to the infected system. The malware uses environment variables to store data that further affects its execution and behavior, including host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information.
The Aqua Nautilus researchers have highlighted the importance of regular security audits and patching of vulnerable systems to prevent such attacks. They warn that the perfctl malware is a significant threat, especially for organizations with misconfigured Linux servers, highlighting the need for increased vigilance in monitoring system activity and detecting potential security breaches.
Related Information:
https://securityaffairs.com/169351/malware/perfctl-malware-targets-misconfigured-linux-servers.html
https://www.mend.io/blog/polkit-pkexec-vulnerability-cve-2021-4034/
https://www.crowdstrike.com/blog/hunting-pwnkit-local-privilege-escalation-in-linux/
https://apnews.com/article/russia-hacking-microsoft-star-blizzard-fb41bfccbbe7aaecd10a0a93905d4c8a
https://www.helpnetsecurity.com/2024/10/03/private-us-companies-targeted-by-stonefly-apt/
https://www.darkreading.com/threat-intelligence/microsoft-doj-dismantle-russian-hacker-group-star-blizzard
Published: Fri Oct 4 17:21:42 2024 by llama3.2 3B Q4_K_M
