Last night, security researchers from Aqua Security published a comprehensive article about the Perfctl malware. They caution users about its capabilities, which blend significant stealth with relentless persistence. Its detection is not guaranteed, and researchers estimate that millions of configurations are vulnerable.

The name “Perfctl,” coined by the researchers, combines “Perf,” a performance analysis tool, and “ctl,” a common abbreviation for command-line tools. According to Aqua Security, this malware has been circulating since at least 2021 and is thought to be present in several thousand configurations, primarily servers.

A Master of Evasion and Persistence

Perfctl boasts numerous capabilities. Once installed on a machine, it deletes its binary while continuing to operate as a background service. Simultaneously, it replicates itself from memory to various storage locations, disguising itself under seemingly harmless names that resemble system files to elude detection. Aqua Security summarized these names in a graphic:

Source: Aqua Security

The malware also alters the ~/.profile script (which configures the environment at user login) to ensure it executes during logon. Additionally, it includes a rootkit that activates each time the computer restarts.

Perfctl is remarkably discreet. In addition to the previously mentioned measures, it can autonomously terminate any “noisy” activities when a user connects to the machine. Its various components communicate internally by opening Unix sockets and externally via Tor relays.

It also has the capability to manipulate the pcap_loop process (using an interception technique) to prevent administrative tools from logging traffic that might be identified as malicious. Hijacking pcap_loop further aids in persistence, enabling malicious activities to continue even after payloads have been detected and removed. Moreover, Perfctl can suppress mesg errors to avoid generating warnings during execution.

An Ambiguous Origin

Despite the wealth of details uncovered by researchers, much remains unclear about Perfctl. They are uncertain of its origin or the malicious group that may be behind it. Aqua Security, however, asserts that the technical level of the malware is quite advanced. The range of methods employed indicates that its creators have an in-depth understanding of how Linux operates.

Determining how many machines are infected is equally challenging. Perfctl initially targets specific vulnerabilities, including CVE-2023-33426, a critical vulnerability (rated 10 out of 10) in Apache RocketMQ. Even in the absence of such vulnerabilities, it can exploit over 20,000 common configuration errors. In this scenario, it attempts to exploit the CVE-2021-4043 flaw in Gpac to gain root privileges.

Source: Aqua Security

Detection is further complicated because Perfctl halts its most apparent activities as soon as a session is initiated, as previously mentioned. Researchers have noted many discussions regarding unusual server behavior, particularly on Reddit. “I only discovered the malware when my monitoring system alerted me to 100% CPU usage. However, the process immediately stopped when I logged in via SSH or the console. As soon as I log out, the malware resumes within seconds or minutes,” writes one administrator.

Similar discussions can be found in various languages on platforms such as Stack Overflow, Forobeta, Brainycp, and even Proxmox. Based on these reports, Aqua researchers cannot definitively confirm that it is indeed Perfctl, but they note that the symptoms align.

What Is Perfctl Used For?

While the malware is tenacious and stealthy, its purposes remain unclear. The spikes in CPU usage suggest that it is primarily used for mining the Monero cryptocurrency through the XMRIG cryptominer. The 100% CPU surges are attributed to the high computational demands of mining, which halts as soon as a session is connected.

Perfctl can also engage in proxy-jacking, repurposing unused bandwidth for other activities. In either case, the motivation appears to be financial.

Despite these two functions, researchers describe Perfctl as very versatile. Depending on the payload delivered by the command and control (C2C) server, it may partake in various other malicious actions, including data exfiltration.

Removing It Is Challenging

It remains unclear whether current antivirus solutions can detect and eliminate Perfctl. Aqua Security researchers provide a set of guidelines, particularly on identifying the presence of this malware.

Two primary criteria can indicate the presence of malware. First is the observation of CPU activity spikes (or seemingly unexplained slowdowns), especially in processes named httpd and sh. The second is the presence of suspicious binaries in the /tmp, /usr, and /root directories. Examples of such names include perfctl, sh, libpprocps.so, perfcc, and libfsnkdev.so.

Aqua further advises checking the system logs for modifications to the files ~/.profile and /etc/ld.so.preload, as well as monitoring changes to certain system users (like ldd, top, lsof, and crontab).

The researchers also recommend several mitigation strategies, the most crucial of which is to update server components, particularly those affected by exploited vulnerabilities. Aqua suggests restricting file execution in writable directories, disabling unused services, applying strict privilege management, and, of course, implementing security tools capable of detecting rootkits and malware without raising alarms.

Aqua estimates that, considering the prevalence of targeted and unpatched vulnerabilities, millions of machines are currently at risk from this malware.

Understanding Perfctl Malware: Stealth and Persistence in Cybersecurity

What is Perfctl Malware?

Perfctl malware, revealed by security researchers at Aqua Security, signifies a serious threat to server configurations worldwide. The name “Perfctl” represents an amalgamation of “Perf,” a performance analysis tool, and “ctl,” common terminology for command-line utilities. This malware has reportedly been active since at least 2021, infiltrating thousands of systems, particularly servers.

Key Characteristics of Perfctl Malware

Aqua Security has outlined several alarming features of Perfctl:

• Stealthy Operations: Upon installation, Perfctl erases its binary and morphs into a background service.
• Persistence: It copies itself from memory to various system directories, disguising its presence behind names akin to legitimate system files.
• Frequency of Infections: Researchers believe millions of configurations are susceptible to this malware.

The Mechanics of Perfctl

1. Evasion Techniques

Perfctl employs several cunning tactics to evade detection:

• Modification of ~/.profile: This ensures the malware runs at user login.
• Utilization of a Rootkit: This rootkit activates each time the system restarts, creating a cycle of reinfection.
• Disabling Noisy Activities: Perfctl halts its activity upon user login and reconnects to its malicious tasks once logged out.

2. Command and Communication

Communication channels for Perfctl include:

• Unix Sockets: Used for internal component communication.
• Tor Relays: Enable external connectivity while masking the malware’s origins.

How Perfctl Affects Systems

The malware’s core functionality leans towards financial gains through:

• Cryptocurrency Mining: Primarily mining Monero using the XMRIG miner, evidenced by spikes in CPU usage.
• Proxy-Jacking: Utilizing unused bandwidth for crypto mining and potentially other malicious activities.
• Data Exfiltration: Depending on the commands delivered from the command and control server (C2C), Perfctl can engage in diverse malicious actions.

Challenges in Detection

One daunting aspect of Perfctl is the challenge in detecting its presence:

• Perfctl halts its visible actions upon session initiation, causing an illusion of a clean system.
• Reported symptoms include high CPU consumption correlating with processes named httpd and sh.
• Suspicious binaries often hide in /tmp, /usr, and /root folders, with names such as perfctl, sh, and libpprocps.so.

User Experiences

Various users have shared their experiences:

“I became aware of the malware when my monitoring setup alerted me to 100% CPU usage. However, the process stopped immediately when I logged in via SSH or the console.” – System Administrator

Mitigation and Prevention Strategies

1. Update and Patch Regularly

Aqua Security emphasizes

• Continuous updates for server components, particularly those associated with exploited vulnerabilities.

2. Monitor Suspicious Activity

To help recognize potential infections, users should monitor:

• CPU peaks, particularly noted during high-load processes.
• System logs for alterations related to ~/.profile and /etc/ld.so.preload.

3. Tighten Security Configurations

Recommended security practices include:

• Restricting file execution in writable directories.
• Disabling unused services to minimize entry points for attackers.
• Implementing strict user privilege management to limit exposure.
• Deploying robust security tools geared toward rootkit detection.

Impact on the Cybersecurity Landscape

The emergence of Perfctl highlights crucial vulnerabilities in server configurations. With millions of potential targets, the need for heightened cybersecurity awareness and defense mechanisms is more pressing than ever.

Conclusion: Staying Ahead of Perfctl

Understanding the operational tactics of Perfctl is vital for effective defense against this prevalent malware. Regular updates and security audits, combined with vigilant monitoring of system activities, can significantly mitigate the risks posed by this and other similar threats.