Years of Cryptomining Traced to Linux Malware ‘Perfctl

Perfctl is a newly discovered malware that has been targeting Linux servers and workstations for at least three years. According to Aqua Nautilus researchers, this malware has managed to evade detection during its operation, potentially compromising millions of Linux servers and possibly infecting thousands. Reports of this malware have been steadily appearing on online forums, with victims sharing indicators of compromise that are exclusively associated with perfctl’s activity. Its primary function is cryptomining, where it uses compromised systems to mine Monero, a privacy-focused cryptocurrency. This suggests that perfctl’s objective is financial gain, but the infrastructure it creates could easily be adapted for more harmful operations.

Perfctl exploits a range of security vulnerabilities and misconfigurations in Linux environments. The entry points are often exposed credentials, improperly configured systems, or login interfaces left open to the public. It also takes advantage of known vulnerabilities, such as CVE-2023-33246, a flaw that allows remote command execution in Apache RocketMQ versions 5.1.0 and older, and CVE-2021-4034, a vulnerability in Polkit that enables attackers to elevate privileges on compromised systems. Once the malware gains access to a server, it downloads a payload named "httpd" from an external server, which is obfuscated to evade detection. The payload is then copied to the system's /tmp directory under the name "sh" and the original binary is deleted.

Perfctl’s behavior is designed to blend seamlessly into the system’s normal operations. By renaming its processes to common system names like "sh," it makes it difficult for administrators to distinguish between legitimate and malicious activity. The malware also creates multiple copies of itself in directories like /root/.config, /usr/bin/, and /usr/lib. These copies ensure persistence, even in cases where the system undergoes routine cleanup or maintenance. Perfctl’s ability to stay hidden and evade detection makes it a particularly challenging threat for system administrators.

Once installed, perfctl opens a Unix socket for internal communications and establishes an encrypted channel with the threat actor’s server over the TOR network. TOR’s anonymity and encryption make it nearly impossible to decipher the exchange of information between the compromised server and the attacker’s infrastructure. The malware also deploys a rootkit named libgcwrap.so, which hooks into various system functions to modify authentication mechanisms and intercept network traffic. This allows the malware to evade security tools and remain undetected for extended periods.

In addition to the rootkit, perfctl deploys trojanized versions of essential system utilities, including ldd, top, crontab, and lsof. By replacing these utilities with malicious versions, perfctl prevents system administrators from directly detecting the malware's presence through conventional monitoring tools. This makes it particularly difficult for administrators to identify and remove the malware using standard diagnostic methods. Perfctl’s use of both kernel-level and userland rootkits provides a high level of stealth, allowing it to operate without detection on infected systems.

After securing its foothold on the system, perfctl deploys an XMRIG miner, which mines Monero using the server’s CPU resources. The use of Monero is a deliberate choice by the attackers, as the cryptocurrency is known for its privacy features, making it difficult to trace transactions back to their origin. The cryptominer communicates with Monero mining pools over TOR, further obscuring the network traffic and ensuring that the attackers’ profits cannot be traced.

In addition to cryptomining, Aqua Nautilus has observed instances where the malware is used for proxy-jacking. In these cases, the attackers install software that allows them to sell the compromised system’s unused network bandwidth. Services like Bitping, Repocket, and Speedshare have been used to monetize infected servers by selling bandwidth to third parties. This provides the attackers with an additional revenue stream, allowing them to profit from infected systems even when cryptomining is not active.

Despite its advanced evasion techniques, perfctl’s activities often lead to noticeable performance degradation on infected systems. Many users have reported spikes in CPU usage, with the system running at 100% utilization due to the cryptomining processes. However, perfctl’s design is such that the mining activities stop immediately when a user logs into the system. This behavior makes it difficult for administrators to catch the malware in action, as the malicious processes halt as soon as user activity is detected. Once the user logs out, the mining resumes within seconds, allowing the attackers to continue using the server’s resources without interruption.

Several users have shared their experiences on online forums, describing how their systems appeared to be functioning normally until they noticed unusually high CPU usage. In one instance, a Reddit user reported that the malware would stop running whenever they logged into the system, only to resume shortly after they logged out. This kind of behavior suggests that perfctl is programmed to evade detection by halting its activities whenever the system is being actively monitored. This level of sophistication makes it difficult for administrators to identify the malware using traditional monitoring tools.

Detecting and stopping perfctl requires a multi-faceted approach, involving system monitoring, network traffic analysis, file integrity checks, and proactive security measures. Aqua Nautilus has provided several recommendations for identifying perfctl infections. Administrators should regularly inspect directories like /tmp, /usr, and /root for suspicious binaries that may be masquerading as legitimate system files. Monitoring CPU usage is also crucial, as unexplained spikes may indicate that the system is being used for cryptomining. Administrators should also scrutinize key system files like ~/.profile, ~/.bashrc,and /etc/ld.so.preload for unauthorized modifications that could indicate the presence of malware.

Network traffic analysis is another important aspect of detecting perfctl. Administrators should capture and analyze network traffic for connections to TOR nodes or external IPs associated with cryptomining pools. Blocking known IP addresses used by perfctl can disrupt the malware’s communication with its command-and-control servers, reducing its effectiveness.

To prevent future infections, administrators should ensure that all known vulnerabilities, such as CVE-2023-33246 and CVE-2021-4034, are patched. Regularly updating internet-facing applications and disabling unused services can significantly reduce the attack surface for malware like perfctl. Role-based access controls (RBAC) should be implemented to limit access to sensitive areas of the system, and administrators should consider applying the noexec option to directories like /tmp and /dev/shm to prevent unauthorized execution of binaries.

In some cases, perfctl may be difficult to remove due to its use of rootkits and the modifications it makes to legitimate system files. Traditional malware removal techniques may not be effective, and the best course of action may be to wipe and reinstall the infected system to ensure that all traces of the malware are removed.

Perfctl represents a significant threat to Linux systems, particularly those that are exposed to the internet. Its use of rootkits, obfuscation, and encrypted communication channels makes it a highly sophisticated and difficult-to-detect malware. System administrators should remain vigilant and take proactive steps to secure their environments against this and other similar threats. Regular monitoring, patching, and proactive security measures are essential to preventing infections and mitigating the damage caused by malware like perfctl.