To mitigate the risk posed by perfctl, it's recommended to keep systems and all software up-to-date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files. Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. The reason behind the name "perfctl" appears to be a deliberate effort to evade detection and blend in legitimate system processes, as "perf" refers to a Linux performance monitoring tool and "ctl" signifies control in various command-line tools, such as systemctl, timedatectl, and rabbitmqctl. Specifically, the perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc. It's worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed a campaign that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software. "Perfctl is particularly elusive and persistent, employing several sophisticated techniques," Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server," the researchers said. Huntress Managed SIEM is everything you need, nothing you don't — smart filtering for security data, constant monitoring, and compliance assistance—all at a clear, predictable price. Besides copying itself to other locations and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for defense evasion and the miner payload.
This Cyber News was published on thehackernews.com. Publication date: Thu, 03 Oct 2024 15:13:05 +0000