Perfctl Malware Adapts and Evades Detection Targeting Linux Servers

Unveiling an active Linux malware strain over the past 3-4 years, researchers Assaf Morag and Idan Revivo from Aqua Security have disclosed their findings on the “perfctl malware,” which exploits misconfigurations to infect Linux servers, including for cryptomining activities. The malware targets over 20,000 types of misconfigurations and leverages the Polkit vulnerability (CVE-2021-4034) for privilege escalation within infected systems. One notable technique includes user-agent based filtering for malware downloads. "If you try downloading the .php file without a specific user agent, you will receive a file with the integer 1. This response indicates that this file is completely innocent. But if you use the correct user agent, it will drop the malware (size of ~9mb)," report the researchers. The threat posed by the perfctl malware, with its ability to adapt and exploit a vast number of misconfigurations, is substantial.

From an observed attack sequence it begins with exploiting a known vulnerability or misconfiguration, such as CVE-2023-33246 found in RocketMQ. This triggers a series of malicious activities aimed at evasion, persistence, privilege escalation, and system impact. The initial payload, disguised as "avatar.php" but later renamed to "httpd," employs a shell script named "rconf," downloaded via curl. This script performs several critical actions, such as setting up the host for compromise and modifying the /tmp directory to ensure usability. As the attack unfolds, the malware masks its execution by copying itself from memory to the '/tmp' directory, disguising itself under common process names to blend in with legitimate activities. "Based on what we’ve seen, the malware chose the name of the process that originally executed it. Thus, it looks less suspicious if the system is examined," explain the researchers.

The malware demonstrates a high degree of stealth by ceasing all 'noisy' activities whenever a new user logs onto the system, remaining dormant until the server becomes idle again. Further, the malware configures environment variables, downloads additional payloads, and terminates processes to prevent simultaneous installations. It alters cron jobs and system profiles, fingerprints the host using the "uname" command, elevates its privilege with the Polkit vulnerability, and hooks into essential system functions to silently intercept and manipulate system operations. For its internal and external communications, perfctl uses Unix sockets and TOR, respectively, further obscuring its activities.

The tampering of system files, involving changes to '/etc/ld.so.preload' and user profile scripts executed upon login, ensures the malware's persistence even after reboot. The implications of the perfctl malware are far-reaching, affecting thousands of Linux servers with potentially devastating consequences. Aqua Security's detailed analysis, shared by Morag and Revivo, offers insights for detection and system security recommendations. They emphasize the importance of monitoring essential system files like '~/.profile' and '/etc/ld.so.preload' for unauthorized changes. Further mitigation strategies include regular software updates and vigilant network traffic analysis to identify suspicious services. Proactive measures, such as restricting file execution in sensitive directories like /tmp and /dev/shm by setting noexec, and disabling unused services, particularly those that expose systems to external threats, are crucial in combating the exploitation of vulnerabilities like those seen with the recent CUPS vulnerability.