A new Linux server malware called Perfctl has gone undetected for years, exploiting server configuration errors and vulnerabilities to gain control of systems.
The Perfctl malware has been active for the past 3-4 years, infecting Linux servers around the world using over 20,000 misconfigurations. Its ability to avoid detection is impressive: it activates only when servers are idle, stopping its activity when users appear. This malware uses rootkits to hide its presence, as well as vulnerabilities like CVE-2021-4043 to elevate privileges and take over the system.
The main purpose of Perfctl is to use the resources of servers for cryptomining, in particular Monero (XMRIG), and interact with mining pools through the TOR network. The malware also opens backdoors on infected servers, allowing attackers to maintain control of the system and use it for other malicious activities, such as proxy hacking.
Perfctl continues to be dangerous due to its ability to persist on systems, masquerading as legitimate Linux processes and copying itself to various directories. On Reddit and Stack Overflow, there were reports from administrators reporting high CPU loads and performance issues, but they couldn’t immediately attribute it to Perfctl.
The Perfctl malware poses a serious threat to Linux servers by actively avoiding detection and using resources for cryptomining. Administrators should be vigilant, regularly inspecting files and processes on their systems and updating them to minimize the risk of infection.