Stealthy Malware: Uncovering the Ongoing Infection of Thousands of Linux Systems

Researchers revealed on Thursday that a significant number of Linux machines have fallen victim to a stealthy malware strain known for exploiting various misconfigurations and its wide range of malicious capabilities.

This malware has reportedly been active since at least 2021, managing to infiltrate systems by taking advantage of over 20,000 common misconfigurations. This alarming ability means that potentially millions of internet-connected machines could be at risk, according to findings from Aqua Security. Additionally, it can exploit CVE-2023-33426, a high-severity vulnerability rated 10 out of 10, which was remediated last year in Apache RocketMQ, a messaging and streaming platform frequently found on Linux systems.

Known as Perfctl, the malware is characterized by a particular component that covertly mines cryptocurrency. The unnamed creators of this malware chose a title that merges the perf Linux monitoring tool with “ctl,” a common abbreviation used for command line operations. A distinctive feature of Perfctl is its tendency to use process and file names that mirror those typically found in Linux environments, which helps it avoid detection from unsuspecting users.

Perfctl further enhances its invisibility through various techniques. One method involves installing many of its components as rootkits, a specific type of malware designed to conceal its existence from both the operating system and administrative tools. Additional stealth tactics include:

The malware has been engineered for persistence, meaning it can remain on an infected machine even after reboots or attempts to remove its core components. Among the techniques it employs are (1) altering the ~/.profile script, which configures the environment during user login, allowing the malware to load before legitimate processes expected on the server, and (2) replicating itself from memory to various locations on the disk. Additionally, the hooking of pcap_loop can ensure ongoing malicious activities even after the primary payloads have been discovered and eliminated.

In addition to hijacking machine resources for cryptocurrency mining, Perfctl also transforms the infected machine into a profitable proxy, which is utilized by paying clients to route their internet traffic. Researchers from Aqua Security have noted that the malware functions as a backdoor, facilitating the installation of other malware families.

Assaf Morag, the threat intelligence director at Aqua Security, conveyed in an email:

Perfctl malware is a considerable threat due to its ability to evade detection while maintaining persistence on compromised systems. This dual functionality presents a significant hurdle for defenders, and the malware has been associated with an increasing number of reports and discussions in various forums, underscoring the distress and frustration experienced by those who find themselves infected.

Perfctl operates using a rootkit method, modifying certain system utilities to obscure the actions of the cryptominer and proxy-jacking software. It integrates naturally into its environment, adopting seemingly legitimate names. Furthermore, Perfctl’s design allows it to execute a variety of harmful activities, ranging from data exfiltration to the distribution of additional malicious payloads. Its multifaceted nature makes it a tool for various nefarious aims, posing significant risks to both organizations and individuals.

Although some antivirus programs can detect Perfctl and certain malware it installs, researchers from Aqua Security found a lack of substantial research publications specifically addressing this malware. They did uncover numerous discussions on developer forums related to infections that align with Perfctl’s behavior.

This comment on Reddit from the CentOS subreddit provides a typical example. An administrator discovered that two servers had been compromised by a cryptocurrency hijacker known as perfcc and perfctl. The admin sought assistance in uncovering the source of the issue.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the administrator mentioned in an April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The administrator elaborated:

I have tried to eliminate the malware by adhering to the guidelines provided in various forums, but nothing seems to work. The malware continuously reinstalls itself once I log out. I have also scoured the entire system for the term “perfcc” and discovered the files listed below. However, removing them has not rectified the problem, as they reappear each time the system is rebooted.

Other discussions on this topic include: Reddit, Stack Overflow, (Spanish), forobeta, brainycp, natnetwork, exabytes, Proxmox, Camel2243, svrforum, virtualmin, serverfault, and many others.

This article originally appeared on Ars Technica, a reliable source for technology news and analysis. Ars is part of WIRED’s parent company, Condé Nast.

After taking advantage of a vulnerability or misconfiguration, the exploit downloads the primary payload from a server, often one that has been compromised by the attacker and used as a conduit for anonymously distributing malware. An attack aimed at the researchers’ honeypot involved a payload named httpd. Upon execution, the file duplicates itself from memory into a new location within the /temp directory, runs the copy, and subsequently terminates the original process while deleting the downloaded binary.

After being transferred to the /tmp directory, the file runs under a different name, mimicking a recognized Linux process. The file observed on the honeypot was labeled as sh. Subsequently, this file initiates a local command-and-control process and seeks to obtain root system privileges by exploiting CVE-2021-4043, a vulnerability that allows privilege escalation and was fixed in 2021 in Gpac, a popular open-source multimedia framework.

The malicious software then replicates itself from memory to various other locations on the disk, again selecting names that resemble ordinary system files. Furthermore, it deploys a rootkit, a collection of commonly used Linux utilities modified to act as rootkits, along with a miner. In certain instances, the malware also installs tools for what is termed “proxy-jacking,” a method of secretly routing traffic through the compromised machine, obscuring the true origin of the data.

The researchers added:

In its command-and-control procedure, the malware establishes a Unix socket, creates two directories within the /tmp directory, and saves data there that impacts its functioning. This data encompasses host events, the locations of its copies, process names, communication logs, tokens, and other log information. Moreover, the malware utilizes environment variables to retain data that further modifies its execution and behavior.

All the binaries are meticulously packed, stripped, and encrypted, which denotes extensive efforts to circumvent defense mechanisms and obstruct reverse engineering attempts. Additionally, the malware employs sophisticated evasion strategies, such as pausing its operation upon detecting a new user in the btmp or utmp files and eliminating any rival malware to secure its dominance over the compromised system.

By analyzing data like the number of Linux servers accessible on the internet across diverse services and applications, tracked by platforms like Shodan and Censys, researchers estimate that the number of machines infected by Perfctl is in the thousands. They assert that the pool of susceptible machines—those that have yet to apply the patch for CVE-2023-33426 or are configured improperly—totals in the millions. The researchers have not yet quantified the amount of cryptocurrency generated by the malicious miners.

Individuals seeking to find out if their devices have been targeted or infected by Perfctl should check for indicators of compromise mentioned in Thursday’s post. They should also watch for unusual increases in CPU usage or sudden system sluggishness, especially during periods of inactivity. Furthermore, Thursday’s report outlines measures for preventing initial infections.

This article initially appeared on Ars Technica.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

FBI's Ongoing Struggle: Why They Haven't Cracked NYC Mayor Eric Adams' Phone Yet

Next Article

Massive Discounts on Castlevania: Nocturne Blu-Ray Ahead of October 8 Release

Related Posts