Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

https://firewall.firm.in/wp-content/uploads/2024/10/linux.png

Oct 03, 2024Ravie LakshmananLinux / Malware

Cryptocurrency Mining and Proxyjacking

Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software.

“Perfctl is particularly elusive and persistent, employing several sophisticated techniques,” Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News.

“When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.”

It’s worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed a campaign that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.

Specifically, the perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021-4043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc.

Cybersecurity

The reason behind the name “perfctl” appears to be a deliberate effort to evade detection and blend in legitimate system processes, as “perf” refers to a Linux performance monitoring tool and “ctl” signifies control in various command-line tools, such as systemctl, timedatectl, and rabbitmqctl.

The attack chain, as observed by the cloud security firm against its honeypot servers, involves breaching Linux servers by exploiting a vulnerable Apache RocketMQ instance to deliver a payload named “httpd.”

Cryptocurrency Mining and Proxyjacking

Once executed, it copies itself to a new location in the “/tmp” directory, runs the new binary, terminates the original process, and deletes the initial binary in an attempt to cover its tracks.

Besides copying itself to other locations and giving itself seemingly innocuous names, the malware is engineered to drop a rootkit for defense evasion and the miner payload. Some instances also entail the retrieval and execution of proxyjacking software from a remote server.

To mitigate the risk posed by perfctl, it’s recommended to keep systems and all software up-to-date, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC) to limit access to critical files.

“To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket