Perfctl Malware Targeting Millions of Linux Servers

Individuals across the globe in the US, Russia, Germany, Indonesia, Korea, China, Spain, and more have been reporting a malware known as "perfctl" (also referred to as perfcc) that is wreaking havoc on their Linux servers. This malware consumes massive amounts of computing power, making systems virtually unusable, and has proven difficult to eliminate.

‍

What is Perfctl and How Does It Work?

Perfctl primarily targets Linux servers connected to the internet, exploiting vulnerabilities and misconfigurations to gain initial access. Once inside, it hides itself effectively and continuously siphons computing power for cryptomining or proxyjacking. However, according to Assaf Morag, director of threat intelligence at Aqua Nautilus, its ambitions may extend beyond cryptomining.

Morag has observed perfctl deploying TruffleHog, a legitimate penetration testing tool, to search for hardcoded secrets like credentials or API tokens in source code. He suggests that perfctl operators might also be using these secrets to sell server access to larger organisations in the cyber underground.

The malware’s ability to exploit server misconfigurations is extensive. Researchers identified three web servers tied to the threat actor behind perfctl. Two of these were previously compromised, and one is likely owned by the attacker. The compromised servers revealed significant information, including a list of nearly 20,000 misconfigurations and vulnerabilities that perfctl could exploit.

‍

This list included:

• Over 12,000 known server misconfigurations

• Nearly 2,000 paths to obtain unauthorised credentials, tokens, and keys

• Over 1,000 techniques for unauthorised login

• Dozens of potential misconfigurations in widely used applications such as Apache RocketMQ

‍

Exploiting Vulnerabilities: CVE-2023-33246 and Beyond

In addition to misconfigurations, perfctl can gain access to servers by exploiting bugs such as CVE-2023-33246, a critical remote command execution (RCE) vulnerability in Apache RocketMQ. This vulnerability scored 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), highlighting its severity.

Once perfctl gains a foothold, it uses follow-on files containing specific exploits to leverage the misconfigurations it identifies. This ability to continually adapt and evolve makes the malware particularly dangerous.

‍

Protecting Your Servers from Perfctl and Other Fileless Malware

In order to help defend against perfctl and similar threats, server administrators must take immediate steps to secure their systems. Aqua recommends the following key mitigations:

• Patch Vulnerabilities: Ensure all vulnerabilities are patched, especially in internet-facing applications such as RocketMQ. Also, address known vulnerabilities such as CVE-2021-4043 (Polkit) and regularly update all software and system libraries.

• Restrict File Execution: Set "noexec" permissions on all writable directories such as /tmp and /dev/shm in order to prevent malware from executing binaries from these locations.

• Disable Unused Services: Turn off any unnecessary services, especially those that expose the system to potential attackers, such as unused HTTP services.

• Implement Strict Privilege Management: Limit root access to critical files and directories. Use role-based access control (RBAC) to restrict what users and processes can access or modify.

• Network Segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially connections to cryptomining pools or TOR traffic.

• Deploy Runtime Protection: Utilise advanced anti-malware and behavioural detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl.

‍

For those operating Linux servers connected to the internet, it is advised you act now before perfctl finds its way into your network.