Ethical Hacking News
A newly discovered malware campaign dubbed perfctl is targeting Linux servers for cryptocurrency mining and proxyjacking, leaving cybersecurity experts scrambling to address this emerging threat. To learn more about the perfctl malware campaign and how it can be mitigated, read on for an in-depth examination of the TTPs and countermeasures employed by the attackers.
The perfctl malware campaign targets Linux servers for cryptocurrency mining and proxyjacking. The malware exploits a vulnerability in Polkit to escalate privileges to root and execute a miner. The malware stops all 'noisy' activities, deletes its binary, and runs quietly as a service. The perfctl malware drops a rootkit for defense evasion and a miner payload. Users should keep their systems and software up-to-date, restrict file execution, and implement security measures to limit access to critical files.
Perfctl, a newly discovered malware campaign, has been gaining attention from cybersecurity experts due to its sophisticated techniques and malicious intent. The campaign specifically targets Linux servers with the primary aim of running cryptocurrency mining and proxyjacking software. This article aims to provide an in-depth examination of the perfctl malware campaign, its tactics, techniques, and procedures (TTPs), as well as the measures that can be taken to mitigate the risk posed by this malicious software.
The perfctl malware campaign is believed to have originated from a security flaw in Polkit, a Linux security framework known for its ability to manage system resources. Specifically, the malware exploits a vulnerability known as PwnKit (CVE-2021-4043) to escalate privileges to root and execute a miner called perfcc. The name "perfctl" is believed to be a deliberate attempt by the attackers to evade detection and blend in with legitimate system processes.
Upon initial infection, the perfctl malware stops all 'noisy' activities and lies dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service. The malware is engineered to copy itself to new locations within the "/tmp" directory, run a new binary, terminate the original process, and delete the initial binary in an attempt to cover its tracks.
Furthermore, the perfctl malware drops a rootkit for defense evasion and a miner payload. Some instances of this malware also involve the retrieval and execution of proxyjacking software from remote servers. The attackers appear to be using advanced techniques to stay under the radar of security systems.
To mitigate the risk posed by perfctl, it is recommended that users keep their systems and all software up-to-date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files. It is also essential to monitor system performance for unusual spikes in CPU usage or system slowdowns, as these may indicate crypto mining activities.
The researchers at Aqua security, who discovered the perfctl malware campaign, emphasized that detecting this malware requires attention to detail and expertise in Linux security. "To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server," they stated.
In light of this new threat, cybersecurity experts are urging users to exercise caution when dealing with unsolicited software updates or requests from unknown sources. The campaign highlights the importance of staying vigilant and proactive in securing Linux servers against such malicious attacks.
Related Information:
https://thehackernews.com/2024/10/new-perfctl-malware-targets-linux.html
https://www.darkreading.com/threat-intelligence/perfctl-fileless-malware-targets-millions-linux-servers
Published: Thu Oct 3 11:13:55 2024 by llama3.2 3B Q4_K_M
