perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Perfctl is a sophisticated malware targeting millions of Linux servers, actively exploiting over 20,000 types of misconfigurations to infiltrate systems. This malware employs various advanced techniques to remain hidden and persistent, including the use of rootkits, process masquerading, and communication through Unix sockets and TOR. Upon execution, it deletes its binary and runs in the background, copying itself to multiple locations on the disk under deceptive names. The malware exploits the Polkit vulnerability (CVE-2021-4043) to escalate privileges and primarily runs a cryptominer, causing significant CPU resource drain. Indicators of compromise include unusual CPU spikes, modifications in the /tmp, /usr, and /root directories, and TOR-based communication. Detection methods involve monitoring suspicious system behavior, network traffic analysis, and file integrity checks. Mitigation strategies include patching vulnerabilities, restricting file execution, disabling unused services, implementing strict privilege management, and deploying runtime protection.
The attack initiated with the exploitation of a vulnerability in RocketMQ, allowing unauthorized command execution to gain initial access. BlueRock's Container Drift Protection (Binaries & Scripts) effectively mitigates this by preventing unauthorized executables and scripts from running, ensuring that only pre-approved binaries are executed. Once inside, the malware downloaded its main payload, which was then copied to a new location in the '/tmp' directory, a behavior characteristic of process masquerading. BlueRock's Linux/Host Drift Protection would detect such unauthorized changes to the system's file structure, alerting administrators to potential threats. The malware also employed rootkits to hide its presence and maintain persistence. BlueRock's Reverse Shell Protection prevents unauthorized attempts to bind shell input and output streams to network sockets, thereby blocking the malware's efforts to establish a backdoor for remote access. By leveraging these mechanisms, BlueRock provides comprehensive protection against the sophisticated tactics employed by the perfctl malware, ensuring system integrity and security.
- T1190: Exploit Public-Facing Application: The attack began with the exploitation of a vulnerability in RocketMQ (CVE-2023-33246), which allowed unauthorized command execution. This facilitated the initial access to the system.
- T1105: Ingress Tool Transfer: The malware then downloaded the main payload from an HTTP server controlled by the attacker, which is indicative of the use of a malicious download for initial infection.
- T1055.012: Process Injection: Process Hollowing: After downloading, the malware copied itself from memory to a new location in the '/tmp' directory, terminated the original process, and deleted the initial binary to cover its tracks. This behavior is characteristic of process injection and process masquerading.
- T1014: Rootkit: The malware employed rootkits to hide its presence, modifying the behavior of authentication mechanisms and preventing the recording of network traffic. This indicates the use of kernel module and user land rootkits.
- T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: To maintain persistence, the malware modified the ~/.profile script to execute itself during user login and copied itself to multiple locations with deceptive names.
- T1573.001: Encrypted Channel: Symmetric Cryptography: The malware utilized a Unix socket for internal communication and TOR for external communication, indicating the use of encrypted channels to evade network defenses.
- T1068: Exploitation for Privilege Escalation: For privilege escalation, the malware attempted to exploit the Polkit vulnerability (CVE-2021-4034).
- T1496: Resource Hijacking: The malware dropped a cryptominer and proxy-jacking software, indicating resource hijacking and unauthorized use of system resources.
- T1219: Remote Access Software: The malware opened a backdoor on the server and listened for TOR communications, which is indicative of the creation of a remote access tool (RAT).
- T1070.004: Indicator Removal: File Deletion: The malware deleted its binary after execution to avoid detection, which is a technique for defense evasion.
- T1071.001: Application Layer Protocol: Web Protocols: The malware used environment variables to store data that further affected its execution and behavior, showing an attempt to maintain persistence and evade detection.
- T1562.001: Impair Defenses: Disable or Modify Tools: The malware employed various methods to detect and terminate any competing malware, ensuring it maintained control over the infected system.
- T1027: Obfuscated Files or Information: The attacker utilized packed, stripped, and encrypted binaries to bypass defense mechanisms and hinder reverse engineering attempts.
- T1562.001: Impair Defenses: Disable or Modify Tools: The malware monitored for new user logins and suspended its activity to avoid detection, indicating the use of evasion techniques based on user activity.
