Security researchers warn that a malware campaign dubbed perfctl has targeted millions of Linux servers over the past three to four years by attempting to exploit around 20,000 misconfigurations that expose credentials or insecure admin interfaces.
Equipped with a backdoor, perfectl gives attackers wide latitude in the actions they can commit. It seems to be primarily used for resource theft. Its main payloads include a Monero cryptocurrency miner and proxyjacking software that enables others to use a system’s bandwidth.
“We discovered numerous incident reports in community forums, all describing indicators of compromise linked to this malware,” researchers from Aqua Security wrote in their report on perfctl, whose name comes from its cryptominer process, which is what most impacted users noticed and reported on forums.
But the malware family has multiple components, including a malware dropper, backdoor, and rootkit that hides its files and processes and tries to use a privilege escalation exploit.
Vulnerabilities and misconfigurations for initial access
To gain initial access, attackers behind this campaign exploit misconfigurations and known vulnerabilities in popular software. Aqua’s researchers found the malware after it targeted one of their honeypot servers by exploiting CVE-2023-33246, a vulnerability in the Apache RocketMQ open-source distributed messaging and streaming middleware framework.
After analyzing servers used by the attackers, the researchers also found a list of 20,000 directory traversal paths looking for insecurely stored credential and configuration files on servers. This includes files with conf, .ini, .json, and .xml configurations.
Many of these files accompany deployed applications and contain sensitive information such as credentials or access tokens but should not be readable by external users. Unfortunately, such misconfigurations are common. For example, security researchers recently reported that attackers collected .env files from around 110,000 domains, leading to the exposure of more than 90,000 unique environment variables with 7,000 corresponding to cloud services.
Multi-stage malware deployment
After they gain access to a system, attackers will attempt to execute a shell script called rconf to perform several checks, set environment variables, and download the main payload. For example, it checks whether the /tmp directory exists, is writable, and has execution permissions. If it doesn’t it attempts to mount it. It also checks whether the system’s architecture is x86_64, as it will not run on ARM or other types of CPUs.
The script then downloads a file called avatar.php, saves it to the /tmp directory with the name httpd — a name typically used by the Apache web server process — and then executes it. Interestingly, the request to download avatar.php from the attackers’ servers needs to have a specific User-Agent to receive the malicious payload. Otherwise, the server will provide a benign php file.
The httpd payload is a Linux executable detected as malware by several antivirus engines. This multipurpose malware dropper serves as the main component. After execution it uses process masquerading to create a copy of itself with the name of the process that originally ran it — in this case sh, the Linux shell — and then executes itself again with that name, killing the previous copy.
The malware also attempts to exploit CVE-2021-4043, a privilege escalation in the Linux polkit package, to gain root privileges.
“By deleting the original binary and copying itself to another location, the malware avoids detection from static file-based security measures that might be monitoring the original location,” the researchers wrote. “The /tmp directory is a common target because it is typically writable and frequently used for temporary files, making it less suspicious. Deleting the original binary and killing itself can make it harder for security analysts to trace back the activity to the original payload, thereby complicating forensic analysis.”
The new sh copy gathers information about the OS and drops nine binaries: four copies of itself in various locations using different names to impersonate legitimate binaries and libraries, several rootkits, the cryptominer, and another file used for persistence to ensure the main process is running.
Rootkits and privilege escalation
The main rootkit component, called libgcwrap.so, uses the LD_PRELOAD environment variable to load itself before other libraries are loaded. Once in memory, it hooks into Libpam and Libpcap symbols, overwriting the functions pam_authenticate, which is tied to the user login process, and pcap_loop, which is tied to the libpcap network traffic capturing library.
By manipulating these functions, the rootkit could inject malicious access into the user login process such as capturing credentials. It could also interfere with security monitoring tools, network analyzers, and other systems that perform packet analysis using the libpcap library.
The malware also drops modified copies of top, ldd, lsof, and crontab. These system utilities enable an administrator to inspect a system. For example, top can help monitor the resource consumption of processes, so if an admin calls on top to investigate a system slowdown, the modified version will hide the cryptomining process.
The utility ldd displays the dynamic dependencies required by an executable. Modifying ldd enables the attackers to hide their own malicious libraries if someone investigates their malware executable.
Crontab is used to schedule and execute tasks (cron jobs) at specific times. It is often abused by malware authors as a persistence mechanism to ensure their malware is restarted. The utility lsof lists what files, sockets, and network connections are opened by various processes.
“This makes perfect sense that the threat actor is trying to modify the results of these utilities as they may be used by developers or security engineers to evaluate the server and understand what is attacking the machine,” the researchers wrote.
Cryptomining and backdoors
The dropped Monero cryptominer, called perfctl, is meant to impersonate the perf Linux performance monitoring tool with the common ctl prefix, which indicates “control” and is used by many management utilities such as systemctl and journalctl.
The malware uses Tor for command-and-control and listens for commands from the attackers, making it a backdoor as well that can be used for remote access.
“During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware,” the researchers wrote.
In some instances, the researchers also noticed the deployment of proxy software that allows attackers to sell unknowing victims’ unused network bandwidth through proxy networks. This technique is known as proxyjacking.
The Aqua Security report includes a list of indicators of compromise such as file hashes, domain names, and IP addresses, as well as detection strategies that make use of system behavior monitoring, log analysis, file and process integrity monitoring, and network traffic analysis.
No Responses