Posted inThreats & Vulnerabilities

Undetected for Years: Meet Perfctl—The Linux Malware That’s Mining Millions in Cryptocurrency Right Under Your Nose

No Comments

In the ever-evolving world of cyber threats, one malware has silently infiltrated Linux servers for years, stealthily mining cryptocurrency without drawing attention. Meet Perfctl, a highly sophisticated and elusive malware that has been exploiting Linux systems worldwide, targeting millions of servers. What’s worse, it remained undetected for years, quietly siphoning resources to fuel a growing cryptomining empire.

The Perfctl malware, uncovered by security researchers at Aqua Nautilus, has demonstrated its ability to evade detection and persist on compromised systems. Over time, it has exploited misconfigurations in over 20,000 types of Linux setups, turning servers into cryptomining machines for Monero (XMR) and enabling proxy-jacking schemes. You can read the original detailed report from AquaSec here.

In this article, we’ll explore how Perfctl operates, the vulnerabilities it exploits, and most importantly, how you can protect your systems from falling victim to this stealthy malware. Let’s dive in and reveal the full scope of Perfctl’s attack tactics and why it poses such a significant threat to the digital infrastructure.

The Rise of Perfctl: How It Stayed Hidden for Years

Perfctl is no ordinary malware. It’s a clever and stealthy operator, designed to evade detection and stay hidden while quietly mining cryptocurrency from compromised Linux servers. Its ability to blend into normal system operations makes it one of the most elusive forms of malware in recent years. Perfctl was carefully engineered to exploit vulnerabilities and misconfigurations in over 20,000 different types of Linux setups, targeting millions of servers worldwide. The fact that Perfctl remained undetected for years speaks to the sophistication of its design and the stealth techniques it employs.

Key Techniques That Enabled Perfctl to Stay Hidden

Perfctl’s stealthiness lies in its sophisticated combination of rootkits, process masquerading, and strategic evasion tactics. Here’s a breakdown of the key techniques Perfctl uses to stay under the radar:

1. Rootkits for Stealth

One of the most effective ways Perfctl hides is by leveraging rootkits. A rootkit is a type of malicious software that alters the behavior of the operating system itself, allowing the malware to hide deep within the system. Perfctl uses rootkits to modify core system functions, making it invisible to many traditional security tools. This tactic is crucial for its persistence and stealth.

  • Rootkit Example: Perfctl drops user-space rootkits, including modified versions of common Linux utilities like ldd, lsof, and crontab, which are responsible for listing shared libraries, open files, and scheduled tasks, respectively. By doing so, Perfctl ensures that system administrators won’t see its malicious activities when they use these tools to monitor the system.

Moreover, Perfctl utilizes LD_PRELOAD to load its rootkit library (e.g., libgcwrap.so) before other libraries, which allows it to hook into key system functions like pam_authenticate, used by Linux’s Pluggable Authentication Module (PAM) for user authentication. This means that the malware can potentially bypass password checks, log credentials, or modify authentication behavior unnoticed.

Further Reading: Understanding Rootkits and How They Work

2. Process Masquerading

Another technique that Perfctl uses effectively is process masquerading. After infection, Perfctl renames itself to match common system processes, like sh or httpd, making it harder for system administrators to detect anything suspicious.

  • How it Works: Perfctl initially downloads its payload under the name httpd, a common Linux web server process. Once executed, the malware deletes its binary, replaces it with a new process name (such as sh), and continues to run from memory. This makes it look like an innocuous process to the untrained eye, especially since sh is a default shell process used on most Linux systems.

Perfctl’s process masquerading doesn’t stop there. It continuously copies itself to different locations on the disk, using deceptive filenames like /usr/lib/libpprocps.so and /root/.config/cron/perfcc, which mimic system libraries and configuration files. These paths are specifically chosen to blend in with normal system files, making the malware even harder to detect during routine system checks.

More Details: Learn more about Process Masquerading in Malware.

3. Smart Evasion Tactics

Perfctl goes a step further in evasion by adapting its behavior based on server activity. One of its most advanced tactics is dormancy during user logins. Perfctl can sense when a new user logs into the server and immediately pauses any “noisy” activities, such as cryptomining or outbound communication with TOR. It only resumes its malicious operations once the server is idle again.

  • Why This Matters: This technique significantly reduces the chances of detection during real-time system monitoring, especially by system administrators logging in to check server health. The malware’s ability to remain dormant during active monitoring sessions makes it highly elusive.

During sandbox testing conducted by researchers, Perfctl utilized its backdoor to assess the environment it was running on, further showcasing how attackers were actively analyzing their targets before fully exploiting them.

Related Resource: Dive deeper into Evasion Techniques in Advanced Malware.

4. Exploiting Known Vulnerabilities

Perfctl also exploits critical vulnerabilities to escalate privileges, giving it deeper access to compromised servers. One of the key vulnerabilities it targets is Polkit, specifically CVE-2021-4043, which allows the malware to execute commands with root privileges.

  • CVE-2021-4043: This vulnerability affects Polkit, a component used by many Linux distributions to control system-wide privileges. Perfctl exploits this flaw to escalate privileges and gain full control over the system. Once it achieves root access, the malware can disable security mechanisms, drop more payloads, and establish long-term persistence.

In one attack scenario observed in a sandbox environment, Perfctl attempted to run an exploit for CVE-2021-4043 immediately after compromising the server, aiming to establish root access and deploy additional payloads.

5. Persistence and Backdoor Installation

Once installed, Perfctl ensures its longevity by opening a backdoor and implementing several persistence mechanisms. The malware leverages Unix sockets for internal communication and uses TOR for external communications with its command-and-control (C2) servers, making it challenging for network security tools to monitor and block these activities.

  • Backdoor Behavior: Perfctl listens for instructions from its C2 servers via TOR and can deploy additional malicious utilities, such as cryptominers and proxy-jacking software. The backdoor allows attackers to maintain full control over infected systems, giving them the ability to exfiltrate data, install additional malware, or pivot within a network.

Researchers also found that Perfctl creates multiple directories in the /tmp folder to store logs and information about its copies and process names. These hidden directories further complicate detection efforts, as they mimic standard system behavior.

How Perfctl Attacks Work: A Step-by-Step Breakdown

The attack flow of Perfctl is meticulously designed to ensure persistence, evasion, and stealth on infected Linux systems. Through a combination of exploiting vulnerabilities, file manipulation, and process masquerading, the malware is able to remain undetected while running cryptomining software. Below is a detailed breakdown of how Perfctl typically compromises a Linux server:

1. Exploitation of Vulnerabilities or Misconfigurations

The attack begins with the exploitation of known vulnerabilities, such as the Polkit vulnerability (CVE-2021-4043). Perfctl leverages these vulnerabilities to gain unauthorized access or elevate its privileges. In some instances, it exploits server misconfigurations, targeting nearly 20,000 types of misconfigured setups, allowing attackers to breach systems that might not have been adequately secured.

Once access is gained, Perfctl downloads its primary payload from an attacker-controlled HTTP server. For example, in a documented attack, the malware disguised itself as a common Linux process named httpd (the default Apache web server process) to avoid suspicion.

2. Binary Deletion and Memory-Based Execution

Once the payload is executed, Perfctl deletes its original binary from the disk, ensuring there is no trace of the malware on the file system. However, it continues running in the background by loading itself into memory under a different process name. This memory-based execution is a classic defense evasion technique, allowing Perfctl to avoid detection by file-based security tools.

  • Process Masquerading: Perfctl renames itself to sh (a common shell process) or continues under the name of httpd. The malware also copies itself into multiple locations, using deceptive filenames like /usr/lib/libpprocps.so or /root/.config/cron/perfcc. These filenames are designed to mimic legitimate system files, further reducing the chances of detection.

3. Rootkit Deployment

Perfctl deploys rootkits to modify core Linux utilities like ldd and lsof, which are used to list shared libraries and open files, respectively. By tampering with these utilities, the malware ensures that it stays hidden from traditional detection methods, as these tools will no longer show the presence of the malicious processes.

The rootkit, named libgcwrap.so, hooks key system functions, including pam_authenticate (used by the Pluggable Authentication Module for user authentication), to manipulate system behavior. By hooking into these functions, Perfctl can bypass authentication checks, capture user credentials, or modify authentication logic to maintain access to the system.

This rootkit is loaded using LD_PRELOAD, ensuring it is prioritized over other shared libraries.

4. Command-and-Control Operations

Perfctl maintains communication with its operators via a Unix socket for internal communication and the TOR network for external communication. This encrypted connection to the command-and-control (C2) servers allows attackers to remotely manage the compromised system, execute additional commands, or download further payloads.

  • Backdoor and Data Logging: Perfctl creates directories, such as /tmp/.xdiag/, to store logs, process IDs, and configurations for its operations. These logs contain information about the host system and instructions for future commands, such as which processes to terminate or which files to manipulate.

Encrypted communication and backdoor creation make it extremely difficult to track the malware’s activities on the network, as traditional monitoring tools cannot easily detect TOR traffic.

5. Resource Hijacking for Cryptomining

Perfctl’s ultimate goal is cryptojacking—exploiting the system’s resources to mine cryptocurrency, typically Monero (XMR). The malware deploys cryptomining software, such as XMRIG, to hijack the CPU’s processing power. This causes significant performance degradation, leading to slower legitimate operations, increased energy consumption, and higher operational costs.

  • Proxy-Jacking: In some cases, Perfctl also engages in proxy-jacking, where the compromised server’s internet bandwidth is sold through services like Bitping or Repocket. These services allow users to earn money by sharing unused bandwidth, but in Perfctl’s case, the server owner is unaware that their bandwidth is being hijacked.

The cryptomining process is heavily obfuscated, packed, and encrypted, making it difficult for administrators to detect the malicious activities without specialized tools.

For more information on Perfctl’s cryptojacking tactics, explore AquaSec’s analysis.

Flowchart illustrating the step-by-step process of Perfctl malware exploiting Linux systems. The diagram outlines six steps: 1) Exploiting Polkit Vulnerability (CVE-2021-4043), 2) Downloading payload disguised as httpd, 3) Binary deletion and memory-based execution, 4) Rootkit deployment and process masquerading, 5) Command-and-control setup using TOR, and 6) Cryptomining and proxy-jacking.
Step-by-step diagram of the Perfctl malware attack flow, highlighting the process from exploiting the Polkit vulnerability to cryptomining and proxy-jacking on compromised Linux servers. This visual guide outlines how Perfctl gains access, hides its activities, and monetizes infected systems.

The Real-World Consequences of Perfctl

While Perfctl’s primary objective is cryptomining, its presence on a server leads to severe and far-reaching consequences. The impact goes beyond just CPU resource consumption—Perfctl opens the door to additional threats, financial losses, and long-term damage to system performance.

1. Severe Performance Degradation

One of the most immediate consequences of Perfctl’s cryptomining activities is the monopolization of CPU resources. By running software like XMRIG in the background, Perfctl uses excessive system resources to mine Monero (XMR) cryptocurrency. As a result, legitimate applications and services on the affected server suffer from:

  • Sluggish Performance: Users may experience severe delays in executing tasks, processing data, or handling requests, especially during peak usage times.
  • System Crashes and Downtime: In some instances, the intense CPU usage can lead to system overloads, causing server crashes or unexpected downtime, potentially affecting business operations and leading to loss of revenue.

During an analysis, researchers noted that in one attack, Perfctl was able to drain system resources to such an extent that the server was effectively unusable until the cryptominer was terminated.

2. Unintended Financial Costs

Running a compromised server leads to unintended and often skyrocketing operational costs, particularly for organizations relying on cloud-based infrastructure with usage-based billing. Here’s why:

  • Cloud Resource Billing: Cloud environments typically charge based on the amount of CPU, memory, and bandwidth consumed. Because Perfctl drains substantial CPU power to support its cryptomining activities, monthly cloud bills can see unexpected spikes.
  • Bandwidth Hijacking: Perfctl has been linked to proxy-jacking schemes, where compromised servers are used to sell bandwidth without the owner’s knowledge. Services like Repocket or Bitping—platforms that offer users compensation for sharing unused internet bandwidth—are exploited by attackers. As a result, organizations not only pay for higher bandwidth usage but also indirectly support illicit operations.

3. Increased Risk of Further Exploitation

Perfctl isn’t just about cryptomining—it opens the door to more severe exploitation. Through its backdoor mechanism, attackers can gain continuous access to compromised servers and potentially use them for other malicious purposes:

  • Data Exfiltration: Attackers may exfiltrate sensitive data stored on the compromised server, including login credentials, customer information, and proprietary data. This can lead to breaches, compliance violations, and loss of business reputation.
  • Ransomware Deployment: With the ability to run remote commands via the backdoor, cybercriminals could deploy ransomware, holding vital data hostage and demanding payments to restore access.
  • Selling Server Access: Compromised servers can also be sold on underground markets to other cybercriminals, where they could be used as part of botnets, DDoS attacks, or for additional cryptomining.

In one observed attack, Perfctl also engaged in killing competing malware on the compromised server. By terminating other unauthorized cryptominers, it ensures exclusive control over the system’s resources, further emphasizing its persistence and dominance.

4. Proxy-Jacking and Bandwidth Exploitation

Perfctl has been linked to proxy-jacking activities, where attackers monetize the victim’s internet bandwidth by leveraging services like Repocket and Bitping. These services pay users for sharing their unused internet bandwidth, but in this case, Perfctl uses the compromised server’s bandwidth without the owner’s consent. Over time, this can result in significant financial costs for the organization.

  • Proxy-Jacking Example: During the analysis of Perfctl’s network activity, communications with proxy-jacking services were observed. Attackers use these services to sell bandwidth from the infected server, diverting resources away from legitimate tasks.

Additionally, the TOR-based communication that Perfctl uses further complicates detection, as the traffic appears as encrypted TOR data, making it challenging for security monitoring tools to identify and block.

How to Detect Perfctl on Your System

Detecting Perfctl is challenging due to its stealthy nature and ability to masquerade as legitimate processes. However, a proactive approach involving close monitoring of server performance, network activity, and binary integrity can help identify its presence. Here are key indicators to watch for:

1. Unexplained CPU Spikes

One of the most apparent signs of Perfctl’s cryptomining activity is unexplained spikes in CPU usage, especially during idle periods when no legitimate processes should be consuming high resources. Perfctl uses the system’s CPU to mine cryptocurrency like Monero (XMR), which leads to significant resource consumption. Monitoring tools such as top or htop can help identify suspicious processes hogging CPU power.

  • What to Look For: A process that mimics system commands like httpd or sh but consumes unusually high CPU resources is a potential red flag. These processes may be Perfctl in disguise, operating under a known name to evade detection.

2. Unusual Network Traffic

Perfctl communicates with its command-and-control servers through the TOR network to receive instructions and send data. This encrypted traffic can be difficult to detect, but consistent outbound connections to TOR exit nodes or cryptomining pools are indicators of a compromised system.

  • What to Monitor: Network monitoring tools such as Wireshark or Zeek can help detect unusual outbound traffic patterns. Look for repeated connections to known TOR nodes or IP addresses associated with cryptomining pools, which could signal Perfctl’s presence.

3. Suspicious Files in System Directories

Perfctl is known for placing suspicious binaries in hidden directories on the system. Some of the directories frequently used by the malware include /tmp, /usr, and /root. These directories might contain files with names that resemble legitimate system files, but are part of Perfctl’s attack chain.

  • Files to Watch For: Keep an eye out for binaries such as libpprocps.so, perfctl, or libfsnkdev.so in these directories. These files are intentionally named to look like system libraries or processes, making them easy to overlook during routine inspections.

4. Modified System Utilities

Perfctl goes a step further by modifying core Linux utilities to avoid detection. System tools such as ldd (used to list shared libraries), lsof (used to list open files), and crontab (used to schedule tasks) may be altered or replaced with trojanized versions. This allows the malware to hide its presence during system checks.

  • How to Detect: To identify compromised utilities, compare the system binaries with their official versions using file integrity monitoring tools like AIDE (Advanced Intrusion Detection Environment) or manually check the file hashes with sha256sum. If discrepancies are found, it could indicate that Perfctl has replaced these utilities to hide itself.

5. Unusual Process Names and Directories

In addition to modifying existing utilities, Perfctl creates hidden directories and uses unusual process names that mimic legitimate ones. For example, directories like /tmp/.xdiag/ are used to store logs and configuration files related to the malware’s cryptomining activities.

  • What to Check: Periodically scan system directories for unexpected files or directories that you did not create, particularly those starting with a dot (.), which are hidden by default in Linux systems.

Protecting Your Systems from Perfctl

Fortunately, there are effective strategies to safeguard your systems from Perfctl and other similar malware threats. These defenses focus on proactive security measures, network monitoring, and access controls to prevent unauthorized system access and activity. Below are some key protective steps:

1. Regularly Patch and Update

Keeping your systems up-to-date with the latest security patches is one of the most important steps in defending against Perfctl. This malware takes advantage of known vulnerabilities, such as Polkit’s CVE-2021-4043, to escalate privileges and compromise the system. Ensuring that these vulnerabilities are patched promptly can prevent Perfctl from exploiting these weaknesses.

  • Best Practices: Implement automated patch management solutions to ensure timely updates across all servers. Focus especially on patching vulnerabilities in core components such as Polkit, OpenSSL, and SSH, which are frequent targets for attackers.

2. Restrict Execution in System Directories

Perfctl often uses temporary directories, such as /tmp and /dev/shm, to store and execute malicious binaries. You can limit this attack vector by applying the noexec option to these directories, which prevents executable files from running. This simple configuration can stop Perfctl from executing its payload even if it successfully drops the malware on the server.

  • How to Apply: Update the /etc/fstab file with the noexec option for these directories:
  tmpfs /tmp tmpfs defaults,noexec 0 0
  tmpfs /dev/shm tmpfs defaults,noexec 0 0

This prevents any scripts or binaries from being executed in these directories, adding an additional layer of protection.

3. Monitor Network Traffic

Perfctl communicates with its command-and-control (C2) servers through encrypted TOR traffic, which makes monitoring outbound connections crucial. Use network monitoring tools to detect unusual outbound traffic, especially connections to TOR exit nodes or cryptomining pools.

  • Tools to Use: Firewalls and intrusion detection systems (IDS) such as Snort or Suricata can be configured to block or alert on TOR traffic. Additionally, monitoring software like Wireshark or Zeek can help detect abnormal network patterns or communications with cryptomining pools, which might indicate Perfctl activity.
  • Firewall Configuration: Set up firewalls to block all outbound TOR traffic by blacklisting known TOR exit nodes and cryptomining domains. Network segmentation can also be used to isolate critical systems from high-risk areas.

4. Deploy Advanced Security Solutions

Relying on traditional signature-based detection methods is not enough to protect against sophisticated malware like Perfctl, which uses rootkits and fileless execution. Instead, deploy behavioral detection tools that can identify anomalies in system behavior, such as unusual resource usage, process masquerading, or rootkit deployment.

  • Behavioral Detection: Use runtime protection solutions like Falco or Sysdig that detect system-level anomalies in real time. These tools monitor system calls and kernel-level events, allowing them to detect malicious activities such as unauthorized privilege escalation or attempts to manipulate system utilities like ldd and lsof.
  • Rootkit Detection: Deploy specialized tools like rkhunter or chkrootkit to scan for signs of rootkit infections. These tools can detect hidden processes, altered system binaries, and suspicious kernel modules that Perfctl might use.

5. Implement Strict Access Controls

Limiting root access and employing Role-Based Access Control (RBAC) is essential to prevent unauthorized users or processes from gaining access to sensitive files and system configurations. By restricting access, you reduce the risk of malware like Perfctl escalating privileges and compromising critical system components.

  • RBAC and Least Privilege: Enforce the principle of least privilege (POLP) by ensuring that users and processes only have the minimum permissions necessary to perform their tasks. Implementing RBAC at the system and application levels ensures that privileged operations are strictly controlled.
  • Multi-Factor Authentication (MFA): Add an extra layer of security by requiring multi-factor authentication for all privileged users. This helps mitigate the risk of compromised credentials being used to escalate privileges on the system.
  • Audit and Monitoring: Regularly audit user accounts, SSH keys, and privileged access to ensure that there are no unauthorized accounts or processes with elevated privileges. Use auditd or OSSEC to log and monitor critical access events.

FAQs

Q: What is Perfctl malware?

Perfctl is a highly stealthy malware specifically designed to target Linux servers for cryptomining. It silently infiltrates systems, utilizing rootkits, process masquerading, and TOR-based communication to remain undetected. Once inside, Perfctl hijacks server resources, using them to mine Monero (XMR) cryptocurrency. Its ability to evade detection and persist for extended periods makes it a significant threat to both cloud and on-premise Linux environments.

Q: How does Perfctl evade detection?

Perfctl employs several advanced techniques to avoid detection. It uses rootkits to hide its processes and modifies critical Linux utilities, making it invisible to traditional security tools. Additionally, it engages in process masquerading, where it renames itself to resemble common Linux processes like httpd or sh. Perfctl also pauses its cryptomining activities whenever a user logs in, lying dormant until the system becomes idle again, further reducing the chance of detection during normal operations.

Q: What vulnerabilities does Perfctl exploit?

Perfctl exploits multiple known vulnerabilities, including the Polkit vulnerability (CVE-2021-4043), which allows it to gain unauthorized root privileges. Additionally, it takes advantage of server misconfigurations, such as unsecured temporary directories or weak access controls, to establish a foothold and escalate its privileges on the target system.

Q: How can I detect Perfctl on my server?

Detecting Perfctl requires close monitoring of system performance and network traffic. Key signs include unexplained spikes in CPU usage, especially during idle periods, and unusual outbound traffic to TOR exit nodes or cryptomining pools. Additionally, inspecting system directories such as /tmp, /usr, or /root for suspicious binaries like libpprocps.so or perfctl can help identify infection. Using tools like top, htop, or Wireshark can assist in monitoring for these anomalies.

Q: What steps can I take to protect my Linux server from Perfctl?

To protect your Linux servers from Perfctl, follow these essential steps:

  • Regularly apply patches and updates, particularly for known vulnerabilities like CVE-2021-4043.
  • Restrict execution in critical directories such as /tmp and /dev/shm using the noexec option.
  • Monitor network traffic for abnormal outbound connections, especially TOR traffic or links to cryptomining pools.
  • Deploy advanced security tools that detect behavioral anomalies, rootkits, and cryptomining activities.
  • Implement strict access controls such as Role-Based Access Control (RBAC) and the principle of least privilege, limiting the ability of unauthorized users or processes to escalate privileges or execute malware.

By following these protective measures, you can significantly reduce the likelihood of Perfctl infecting your systems.

Conclusion: Staying Ahead of the Cryptojacking Curve

Perfctl’s ability to remain undetected for years is a testament to the growing sophistication of malware threats. As cryptojacking becomes more prevalent, the need for proactive security measures has never been more critical.

By staying informed, regularly updating systems, and employing advanced behavioral detection tools, you can protect your servers from being hijacked by malware like Perfctl. Don’t let your infrastructure fall victim to hidden cryptomining operations—take action now to safeguard your digital assets.

Want to stay ahead of emerging cyber threats? Subscribe to Guardians of Cyber for the latest updates on security vulnerabilities, malware analysis, and expert tips on protecting your systems. Share this article with your colleagues to help raise awareness and keep everyone informed.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply