Threat Research

perfctl: A Covert Malware Threat Affecting Millions of Linux Servers

Securonix

Aqua Nautilus analyzed a stealthy Linux campaign centered on the perfctl payload that exploits misconfigurations and known vulnerabilities (including CVE-2021-4043) to deliver rootkits, cryptominers and proxy-jacking components while using Unix sockets and TOR for control. The threat achieves persistence via memory-to-disk process masquerading, multiple disk copies and profile/script modifications, and evades detection by replacing common utilities and hooking system libraries. #perfctl #Polkit

Keypoints

  • Initial access is achieved via exploitation of misconfigurations and vulnerabilities (e.g., RocketMQ flaws and CVE-2021-4043/Polkit), using a downloader script named rconf.
  • Main payload (delivered as avatar.php → renamed httpd) unpacks in memory, copies itself to /tmp using the original process name, deletes the original binary, and records the PID in /tmp/.apid.
  • The campaign drops a rootkit (libgcwrap.so using LD_PRELOAD), a packed cryptominer (XMRIG), and trojanized user-space utilities (top, ldd, lsof, crontab) to hide activity and persist.
  • Persistence is reinforced by copying binaries to multiple deceptive paths (/root/.config/cron/perfcc, /usr/bin/perfcc, /usr/lib/libpprocps.so) and modifying login/profile scripts to execute the malware at session start.
  • Internal coordination uses a Unix socket and a /tmp/.xdiag directory structure for state, while external C2 and cryptomining traffic are routed via TOR to remote hosts.
  • Detection signals include unusual CPU spikes during idle times, binaries running from /tmp or unexpected locations, modifications to /etc/ld.so.preload and profile scripts, and TOR session logs.

MITRE Techniques

  • [T1036] Process Masquerading – The malware replaces and deletes the original binary and saves a copy under the name of the process that executed it to evade inspection. [‘httpd then stops and deletes itself. This technique is called ‘process masquerading’ or ‘process replacement’’]
  • [T1014] Rootkit – Uses an ELF shared-object rootkit loaded via LD_PRELOAD to hook system/library functions and hide files/processes. [‘It utilizes rootkits to hide its presence.’]
  • [T1203] Exploitation of Vulnerability – Exploits misconfigurations and specific CVEs (e.g., CVE-2021-4043 Polkit) to escalate privileges or gain initial control. [‘It attempts to exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.’]
  • [T1071.001] Application Layer Protocol: Web Protocols (TOR) – Uses TOR for encrypted external communications to command-and-control servers and cryptomining pools. [‘Utilizes TOR for encrypted communications with external servers.’]
  • [T1547] Persistence – Modifies user login/profile scripts and installs service-like small binaries to ensure the malware runs after reboot or user login. [‘Modifies user profile scripts to ensure malware execution at login.’]
  • [T1496] Resource Hijacking – Deploys a packed/encrypted cryptominer and proxy-jacking components to consume CPU and network resources. [‘executes cryptomining activities to hijack server resources.’]

Indicators of Compromise

  • [IP Addresses] download servers and C2 context – 46.101.139.173 (primary download server), 198.211.126.180 (download server), and 1 more IP (104.183.100.189)
  • [Domains] proxy-jacking / external services – bitping.com, repocket.com, and 2 more domains (earn.fm, speedshare.app)
  • [File hashes] notable binaries – MD5: 656e22c65bf7c04d87b5afbe52b8d800 (main malware/httpd), MD5: 835a9a6908409a67e51bce69f80dd58a (rootkit), and 2 more hashes (cryptominer, utilities)
  • [File names / paths] deployed artifacts and persistence – /tmp/.apid (saved PID), /root/.config/cron/perfcc and other copies (/usr/bin/perfcc, /usr/lib/libpprocps.so) used for persistence and masquerading

In the observed procedure the attacker gains initial access by exploiting exposed services or misconfigurations (RocketMQ flaws and Polkit/CVE-2021-4043 were used in recorded cases). The compromise begins with a small shell orchestrator (rconf) that verifies architecture and /tmp mount options, creates working directories under /tmp, and provides a fallback HTTP/TCP download routine in case curl/wget are missing. That script fetches a staged payload (avatar.php) which is renamed to httpd, fingerprinted (uname -a), unpacked in memory, and executed.

Once executed, httpd functions as a dropper and local C2: it copies its running memory image to /tmp under the name of the process that launched it (process masquerading), writes the PID to /tmp/.apid, terminates and deletes the original file, then spawns a duplicate (sh) which sleeps, enumerates the host, and drops additional components. Those components include a packed/encrypted cryptominer (XMRIG), a shared-object rootkit (libgcwrap.so) loaded via LD_PRELOAD, a small watchdog/service binary (wizlmsh) in /usr/bin for persistence, and trojanized user-space utilities (top, ldd, lsof, crontab) placed in user-local paths to hide activity and interfere with investigations.

For runtime control and stealth the malware opens a Unix-domain socket and maintains state under /tmp/.xdiag (logs, version, tokens, Tor data), routes external communications and mining/pool connections through TOR to remote IPs, and the rootkit hooks functions such as pam_authenticate and pcap_loop to manipulate authentication behavior and suppress network captures. The campaign also remounts /tmp with exec if necessary, enumerates and kills competing malware, suspends noisy activity when new users log in (monitoring utmp/btmp), and scatters copies of binaries to multiple deceptive system paths to maximize persistence and complicate detection; defenders should inspect /tmp, /usr, /root, /etc/ld.so.preload, modified profile scripts and TOR session logs for these artifacts.

Read more: https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint