Security experts claim new 'Perfctl' malware could pose a risk to any Linux server

News
By
published

Cryptominer malware bogs down the system and uses rootkits, opens backdoors, and copies itself from memory to various disk locations

Rootkit
(Image credit: Getty Images)

On October 3, Aqua Nautilus researchers posted a blog post revealing what they know about a specific Linux malware dubbed "Perfctl" that's been targeted at Linux servers over the past three to four years, using "more than 20,000 types of misconfigurations" as attack vectors to begin exploitation. Once exploitation began, the malware would use a rootkit to conceal itself and inevitably begin stealing CPU resources for crypto mining use. It hid mining traffic and potential instructions for backdoor commands and surveillance through Tor-encrypted traffic.

This Perfctl malware is quite a severe and persistent threat, considering how long it has remained in the wild. A sneaky crypto miner would be bad enough, but Perfctl can also gain greater backdoor access to the entire system through certain vectors, which could prove an even greater security issue. It's also difficult to properly detect the hijacked processes when diagnosing impacted servers. It can hide its crypto mining activity from you entirely, throwing back CPU utilization numbers that omit its activity.

Fortunately, there are mitigations that server operators can take to help alleviate the threat presented by Perfctl.

  1. Patching all potential vulnerabilities, in particular vulnerabilities for applications like RocketMQ servers and the Polkit vulnerability. Keeping libraries up to date is advised.
  2. Restrict file execution by setting "noexec" on /tmp, /dev/svm, and "other writable directories" that are being used to execute this malware.
  3. Disable optional and unused services, in particular "those that may expose the system to external attackers, such as HTTP services".
  4. Implement strict privilege management by restricting root access to critical files and directories, as well as employing Role-Based Access Control (RBAC) to limit what users and processes can access or modify.
  5. Segment the network by either isolating critical servers from the Internet or using firewalls to block outbound communications, "especially Tor traffic or connections to crypto mining pools".
  6. Finally, deploy runtime protection by using "advanced anti-malware and behavioral detection tools that can detect rootkits, crypto miners, and fileless malware like Perfctl".

Hopefully, server operators can avoid this exploit or fix it where present now that this exploit and mitigations are so well-documented. For more detailed information on how the attacks functioned and what Aqua Nautilus learned by honey-potting and sandboxing them, consider checking out the full, several-page blog post documenting the issue over at AquaSec.

Otherwise, if you aren't a Linux server operator, hope that your information isn't on any of the Linux servers already compromised by this issue, and make sure you're following proper cybersecurity practices in your day-to-day life.

Christopher Harper
Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

3 Comments Comment from the forums
  • bit_user
    The article said:
    It's also difficult to properly detect the hijacked processes when diagnosing impacted servers. It can hide its crypto mining activity from you entirely, throwing back CPU utilization numbers that omit its activity.
    Two things it can't hide are its power utilization/thermals and its network traffic. By its very nature, crypto is going to place a load on the CPUs/GPUs and that will generate heat. If a server is running hot or spinning up its fans under no apparent load, then I'd be mighty suspicious.
    Reply
  • wakuwaku
    bit_user said:
    Two things it can't hide are its power utilization/thermals and its network traffic. By its very nature, crypto is going to place a load on the CPUs/GPUs and that will generate heat. If a server is running hot or spinning up its fans under no apparent load, then I'd be mighty suspicious.
    The problem is Tom's AI has failed us once again. If you read the source blog post, you would see this statement on how to figure out if you might be infected by perfctl:

    Detection of “Perfctl” Malware To detect Perfctl malware you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server. These may indicate cryptomining activities, especially during idle times.

    If the malware is throwing out false CPU utilization, why would the authors of the source tell people to look for spikes in CPU usage? There is NO mention of false CPU utilization numbers anywhere on the source article.

    In fact, reading an article written by a competent human instead of an AI summarized copy and paste on Ars Technica reveals an example of a user experience, which was also quoted by the source blog post:

    “I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.”
    The malware is making itself hard to find, not giving out false CPU usage at all. Just monitor for CPU usage as usual. Why listen to Tom's AI?
    Reply
  • bit_user
    wakuwaku said:
    The problem is Tom's AI has failed us once again. If you read the source blog post, you would see this statement on how to figure out if you might be infected by perfctl:
    ...
    The malware is making itself hard to find, not giving out false CPU usage at all. Just monitor for CPU usage as usual. Why listen to Tom's AI?
    FWIW, I correct articles on here all the time and I have since as far back as I can remember, many years before generative AI tools existed. I don't understand why you feel compelled to go the extra step of casting aspersions by implying the article was AI-written. I know this author fervently decries AI-generated content, although that's not proof he's not using it in some capacity. I just think it's unnecessary to extend your criticism that far.

    Leaving aside the issue of AI, thank you for the informative and well-sourced correction.
    Reply