Perfectl in an impressive piece of malware:
The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.
The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.
Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:
Stopping activities that are easy to detect when a new user logs in
Using a Unix socket over TOR for external communications
Deleting its installation binary after execution and running as a background service thereafter
Manipulating the Linux process pcap_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
Suppressing mesg errors to avoid any visible warnings during execution.
The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.
Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their Internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.
Something this complex and impressive implies that a government is behind this. North Korea is the government we know that hacks cryptocurrency in order to fund its operations. But this feels too complex for that. I have no idea how to attribute this.
More Stories
CISA Urges Encryption of Cookies in F5 BIG-IP Systems
CISA urged organizations to tackle security risks from unencrypted cookies in F5 BIG-IP LTM systems Read More
US DoD Tightens Cybersecurity Standards for Defense Contractors
The US DoD has finalized the Cybersecurity Maturity Model Certification (CMMC) Program, which defense contractors must pass to bid for...
Pokémon Developer Game Freak Suffers Data Breach
Personal data of over 2600 employees has been exposed and insider information about the Switch 2 and future Pokémon games...
Snapping Safely: The Fun and Risks of Snapchat for Teens
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of...
Casio Confirms Ransomware Outage and Data Breach
Japanese electronics firm Casio has reported a ransomware attack and data breach Read More
Skills Shortages Now a Top-Two Security Risk for SMBs
Sophos claims that a lack of cybersecurity talent is considered a major risk by SMBs Read More