Keypoints
- Perfctl is a stealthy Linux threat that can run without root, disabling its rootkit features when non-root.
- The malware uses Tor for external command-and-control and performs inter-process communication via local sockets.
- It implants a backdoor, drops and runs reconnaissance scripts to enumerate host info, processes, containers, and files.
- TruffleHog is downloaded and used to scan the filesystem for credentials and secrets.
- An attacker-supplied list of 19K+ file path regexes was used to search for “juicy” files, and /proc was parsed for process details and memory dumps.
- Perfctl replicates by copying running executables from /proc/*/exe into /tmp/.perf.c and other locations, then archives and exfiltrates collected data.
MITRE Techniques
- [T1071.001] Command and Control over Tor – Used Tor for external communications (‘Utilizes Tor for external communications.’)
- [T1041] Exfiltration Over Command and Control Channel – Collected files were archived and sent to an external server (‘Exfiltrates collected data to an external server.’)
- [T1003] Credential Dumping – Scanned for credentials using TruffleHog to find sensitive strings and URIs (‘Uses TruffleHog to scan for sensitive credentials.’)
- [T1055] Process Injection / Process Replacement – Replicated itself by copying binaries from running processes (/proc/*/exe) to new locations (‘Replicates itself by copying binaries from running processes.’)
- [T1082] System Information Discovery – Executed scripts to gather host, process, network, and environment information (‘Executes scripts to gather information about the compromised host.’)
Indicators of Compromise
- [File Hash] httpd binary – SHA256:22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 (identified sample)
- [Domains/URLs] C2 / resources – tor-exit-read-me.dfri.se (Tor exit used for C2), hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz (TruffleHog download)
- [IP Addresses] hosting / exfil – 104.183.100.189 (host serving rex.filepaths.large-1.txt), 169.155.242.252 (embedded in archive name trunk…_169.155.242.252_.tar.gz)
- [File paths / filenames] dropped artifacts and scan results – /tmp/.perf.c/gnome-session-binary (deleted), ~/.atmp/tmp/.applocal.xdiag/th.filesystem.secrets.found.txt, rex.filepaths.large-1.txt (downloaded regex list)
A technical reconstruction of the procedure: The analyst executed the perfctl sample in a non-root lab environment and observed two persistent processes: perfctl and a process masquerading as gnome-session-binary. The malware established Tor-based external communications and used local sockets for inter-process communication; when run without root, rootkit capabilities were unavailable but core behaviors (backdoor, C2 via Tor) persisted. The attacker dropped a subdirectory in the user home (e.g., ~/.atmp/tmp/.applocal.xdiag) and placed numerous artifacts there (host.txt, process.env.txt, process.mem.txt, th.filesystem.secrets.found.txt, rex.filepaths.large-1.txt, etc.).
For credential harvesting and discovery, the attacker downloaded TruffleHog from the project’s GitHub release, executed it (oddly invoking –help during the session), and saved TruffleHog output to th.filesystem.secrets.found.txt. They also fetched a large regex-based path list (rex.filepaths.large-1.txt from 104.183.100.189) containing ~19K patterns to search for “juicy” files. The malware scripted enumeration steps against /proc (reading cmdline, environ, maps, and dumping memory via dd with /proc//mem), inspected Docker (docker images, docker ps), and ran Grep/regex searches to match the downloaded file-path patterns.
For propagation and persistence, perfctl copied running executables via cp /proc//exe to create new binaries under /tmp/.perf.c, /dev/shm, and /lib (examples: cp /proc/71062/exe /dev/shm/libfsnldev.so), effectively replicating itself across multiple filenames. After collecting files and dumps, the operator packaged results into a tar archive (example trunk.6f7794aa1bd1b2b8d26eb2eae5f8df37_169.155.242.252_.tar.gz) and exfiltrated it to an external server over the established channel. Read more: https://isc.sans.edu/diary/rss/31334