Linux servers are currently being targeted in an ongoing attack campaign deploying a stealthy malware called perfctl, designed to facilitate cryptocurrency mining and proxyjacking activities.
According to Aqua security researchers Assaf Morag and Idan Revivo, perfctl is highly evasive and persistent, employing advanced techniques to avoid detection. “It halts all noisy operations when a new user logs in and remains dormant until the server is idle again. Once executed, it removes its binary file and quietly runs in the background as a service,” they said in a report shared with The Hacker News.
Some details of this campaign were previously revealed by Cado Security, which highlighted attacks exploiting internet-exposed Selenium Grid instances to run cryptocurrency mining and proxyjacking software.
Perfctl is known to exploit a Polkit security vulnerability (CVE-2021-4043, also known as PwnKit) to escalate privileges to root and deploy a miner called perfcc.
The name “perfctl” is an intentional disguise to mimic legitimate system processes, as “perf” refers to a Linux performance monitoring tool and “ctl” signifies control, commonly used in command-line utilities like systemctl.
The attack chain, observed by cloud security firm honeypot servers, involves compromising Linux servers through a vulnerable Apache RocketMQ instance, leading to the delivery of a payload labeled “httpd.”
Once the malware is executed, it copies itself to the “/tmp” directory, runs the new binary, kills the original process, and deletes the initial binary to obscure its tracks. It also installs a rootkit for defense evasion, while deploying the mining payload and, in some cases, proxyjacking software from a remote server.
To mitigate the risks posed by perfctl, security experts recommend keeping systems and software up to date, restricting file execution, disabling unnecessary services, enforcing network segmentation, and using Role-Based Access Control (RBAC) to limit access to critical files.
Indicators of perfctl activity include unusual CPU usage spikes or system slowdowns, particularly during idle times, which may signal crypto mining operations, the researchers noted.
