perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Essential information
- Published
- 04/10/2024 10:08
- Modified
- 04/10/2024 12:32
- Tags
- 2024-10-04 CVE-2021-4043 CVE-2023-33246 cryptomining evasion linux perfctl persistence privilege-escalation proxy-jacking rootkit tor
- Related entities
- 3 vulnerabilities (cve), 9 observables, 20 techniques (mitre), 1 malware
Description
A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, and TOR communication. It primarily focuses on cryptomining and proxy-jacking activities. The malware's persistence mechanisms involve modifying system files and dropping user land rootkits. It targets specific architectures and uses various methods to remain undetected, including hooking critical system functions. The campaign has potentially affected thousands of victims and demonstrates a high level of sophistication in its design and execution.