Two years ago, a member of a cybersecurity sub-Reddit posted about the “Perfctl coin miner malware,” soliciting help to remove it. The member said, “I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization. However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.”
Other researchers in the USA, Russia, Germany, Indonesia, South Korea, China, and Spain have also reported the malware. The malware is targeting millions worldwide by compromising Linux servers and mimicking system files to evade detection.
Of course, we all knew the day would come when the perfect malware arrived, and it’s called, aptly, Perfctl. The name is supposed to appear anodyne, combining “perf,” a Linux performance monitoring tool, with “ctl,” which denotes control of command-line tools.
Zombie Cryptominer
Most reports express frustration at the persistence of the malware. It behaves a bit like the toys in Toy Story, lying motionless and inanimate when a user is logged in. Then, it magically comes to life when the system is idle.
What does Perfctl do with 100% of your CPU power? It seeks to mine Monero and sell the bandwidth of compromised machines to third parties, so it has likely made its creators very wealthy.
The infected user on Reddit complained, “I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. They signed off, “Any help would be greatly appreciated,” with all the information cobbled together in their investigation.
In 2023, a researcher going under the name Kanhu reported the same problem. The only way to eliminate all traces of the malware was “a clean install.” A response in the comment thread offered the pro tip: “If your system was infected, burn everything and restore it from scratch.”
Aqua Nautilus and the Honeypot
Recently, the cybersecurity research team at Aqua Nautilus noticed that one of their honeypots was infected with Perfctl. On its website, the team defines a honeypot as “essentially a decoy server or system set up for potential hackers.” The researchers observed Perfctl sneaking around inside the honeypot and documented the malware’s behavior and processes.
After detecting the malware, Nautilus researchers did not find other reports about the infiltration, which was unusual. They did find reports from other users suggesting that it has been around since at least 2021, almost undetectable, shape-shifting, burrowing away, blending in, and covering its tracks. There had not been any long-form reports on the malware, so the researchers set to work, releasing a 6,000-word report on October 3, 2024.
Perfctl propagates itself inside the systems of Linux users, who have long believed they were more secure than everybody else. Perfctl exploits over 20,000 types of misconfigurations. So, we know about the extent of the vulnerability it targets, but we don’t know about the extent of the infiltration.
Perfctl hides its presence with a rootkit, using TOR for external communication and copying itself to a half dozen locations on the disk with sneaky names. It deletes itself yet continues to run in the background. It also terminates all other malware, so that it maintains control over the infected system. Removing the files does not resolve the infiltration; it respawns again every time the system is rebooted.
Nautilus Aqua explains, “All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts.”
Night of the Living Dead
Perfctl is a malware especially tailored for the Linux system. According to the report, the deployed rootkit coopts the system for its own purposes, by of “unauthorized actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behavior of authentication mechanisms.”
Translated: Perfctl turns the small mistakes of astute techies into the creation of zombie cryptominers that don’t know they are zombies or that they’re mining crypto. If they discover the infection, they likely won’t succeed in removing it, unless they do a clean reinstall of their operating system.
It’s diabolical and ingenious. The cryptominer communicates with mining pools over TOR, so the network traffic is untraceable as are the profits.
One could lose sleep and sanity in the pursuit of a fix, only to arrive at the most time and resource-consuming solution. When there is no other option but to wipe the slate clean, it evokes a certain nihilistic mood, a master stroke for a global conspiracy of cybercrime.
Detecting and Eradicating Perfctl on Your System
Unusual spikes in CPU usage can alert users to a Perfctl infection, as well as suspicious binaries in the /tmp, /usr, and /root directories. Network traffic for TOR-based communications would also be a dead giveaway.
Nautilus recommends six approaches to the mitigation of Perfctl.
Restricting file execution would likely save people from the total reinstall solution. According to the report, the measure “prevents perfctl binaries from executing directly from those locations.”
This wasn’t good enough for many smug Redditors who poo-pooed the report by Aqua Nautilus, calling the mitigation advice “standard security practices” and blaming Perfctl on coders who “apply counter-culture views on established security practices.”
Although some downplayed the threat, there’s no doubt that Perfctl poses a risk to millions of Linux servers. Nobody really knows how large the number of compromised servers is right now, but most articles have claimed “thousands” are potentially already compromised.
On the websites of cybersecurity researchers, the threat description is usually followed by a pitch on their cybersecurity software. Freelancers have established a going rate in the ballpark of $150 to remove Perfctl from infected machines.
Author: Laird Dilorenzo
#Crypto #Blockchain #DigitalAssets #DeFi
Laird Dilorenzo is a hatchet thrower and wordsmith.
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.
