Full Report
Researchers investigated the "perfctl malware," a Linux malware targeting misconfigurations and vulnerabilities on Linux servers. Perfctl employs rootkits, privilege escalation exploits, and cryptomining activities. It also uses tactics such as process masquerading and deletin...
Analysis Summary
# Tool/Technique: perfctl Malware
## Overview
The "perfctl malware" is a stealthy Linux malware primarily designed to compromise Linux servers by exploiting configuration weaknesses and known vulnerabilities. Its main goals include achieving persistence, escalating privileges, and ultimately hijacking system resources for cryptomining (using XMRig) and proxy-jacking.
## Technical Details
- Type: Malware family
- Platform: Linux
- Capabilities: Rootkit deployment, privilege escalation, cryptomining, process masquerading, backdoor creation (TOR-based), self-deletion of initial binaries.
- First Seen: October 3, 2024 (Date of related publication)
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1078 - Valid Accounts
- T1078.003 - Local Accounts (Implied by successful privilege escalation)
- T1055 - Process Injection
- T1055.001 - DLL Side-Loading (Implied by trojanized utilities, though direct injection is via process modification)
- T1548 - Abuse Elevation Control Mechanism
- T1548.002 - Bypass User Account Control (UAC) (Applicable concept in privilege escalation context on Linux)
- T1564 - Hide Artifacts
- T1564.003 - Hidden Files and Directories (Dropping logs and binaries in locations like `/tmp/.xdiag` and `/root`)
- T1564.005 - Replace Executable (Replacing utilities like `ldd`, `lsof`, `top`)
- TA0008 - Lateral Movement (Implied, though the focus is on resource harvesting post-compromise)
- TA0011 - Command and Control
- T1090 - Proxy (Using TOR-based communication)
## Functionality
### Core Capabilities
- **Vulnerability Exploitation:** Leverages known flaws, specifically CVE-2021-4043 (Polkit), for privilege escalation.
- **Resource Hijacking:** Deploys cryptominers, specifically XMRig, to utilize CPU resources for illicit mining.
- **Proxy-Jacking:** Exploits misconfigured systems for proxy activities.
- **Persistence:** Establishes persistence via rootkit deployment.
### Advanced Features
- **Rootkit Functionality:** Hooks critical system functions, specifically targeting Libpcap and PAM functions to prevent logging and hide network activity.
- **Process Masquerading:** Replaces essential system utilities (`ldd`, `lsof`, `top`) with trojanized versions to hide its processes from standard monitoring tools.
- **Evasive Execution:** Deceives initial detection by naming the main payload deceptively (e.g., `httpd`) and immediately deleting its initial downloaded binary after execution.
- **Stealthy Operation:** Stops malicious activities (like cryptomining) when interactive user sessions are detected and resumes when the system is idle.
- **Internal/External C2:** Uses Unix sockets for internal communication and TOR-based infrastructure for external communication.
## Indicators of Compromise
- File Hashes: [Unknown from context]
- File Names: `httpd` (Deceptive payload name), trojanized versions of `ldd`, `lsof`, `top`.
- Registry Keys: [Not applicable to Linux]
- Network Indicators: TOR-based external communication channels. Uses Unix sockets for internal communication.
- Behavioral Indicators: Hooking to Libpcap and PAM. Stopping noisy processes during user login sessions. Logging data to `/tmp/.xdiag`.
## Associated Threat Actors
- Unknown (Reported as Unknown in the provided context).
## Detection Methods
- Signature-based detection: Look for known hashes of XMRig components or the perfctl binary.
- Behavioral detection: Monitoring for tampering or replacement of core utilities like `ldd`, `lsof`, and `top`. Detecting suspicious CPU usage patterns correlated with system idle time. Monitoring for connections or activity originating from TOR relays on the compromised host.
- YARA rules: [Not available from context]
## Mitigation Strategies
- **Patching:** Immediately patch systems against known vulnerabilities like CVE-2021-4043 (Polkit).
- **Configuration Hardening:** Strict configuration hardening to prevent resource hijacking and unauthorized privilege escalation.
- **Process Monitoring:** Implement robust monitoring for process replacement, especially concerning system binary integrity in directories like `/bin` or `/usr/bin`.
- **Monitoring Hooking:** Monitor for libraries attempting to hook critical system functions (like Libpcap or PAM modules).
## Related Tools/Techniques
- XMRig (Cryptomining tool used by the malware).
- Rootkit techniques (General category).
- Other malware families utilizing Polkit/CVE-2021-4043 for privilege escalation.