New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

A newly discovered malware, Perfctl, is actively exploiting vulnerable Linux servers to install cryptocurrency miners and proxyjacking software. This stealthy malware hides itself by mimicking legitimate processes, evading detection, and persisting even after system reboots.

  • Perfctl is stealthy and persistent, halting activity when users log in and running only during idle times to avoid detection.
  • The malware leverages a security flaw in Polkit (CVE-2021-4043) to escalate privileges and deploy a cryptocurrency miner known as perfcc.
  • Perfctl disguises itself by adopting the names of legitimate Linux system processes, making detection challenging.
  • Attackers exploit misconfigured Linux servers, using the vulnerable Apache RocketMQ instance to deliver the malware payload.
  • The malware also installs a rootkit for defense evasion and, in some cases, retrieves proxyjacking software to divert network traffic for illicit gain.
  • Systems infected with Perfctl may exhibit unusual spikes in CPU usage or slowdowns during idle periods, typical signs of hidden cryptocurrency mining.

The discovery of Perfctl emphasizes the growing threat to misconfigured and vulnerable Linux servers. Ensuring systems are up-to-date, implementing Role-Based Access Control (RBAC), and restricting unnecessary services are crucial steps to prevent such attacks.

Net Protector Cyber Security offers advanced endpoint protection, real-time malware detection, and server security solutions to safeguard critical infrastructures from sophisticated threats like Perfctl.