Perfectl: Linux malware lets servers secretly perform cryptomining and more
Sophisticated malware is infecting masses of Linux servers with incorrect configurations. This remained undetected for a long time.
(Image: Gorodenkoff/Shutterstock.com)
A recently discovered malware program is targeting Linux servers: As the experts at cybersecurity consultancy Aqua Security report, the program called "Perfectl" has probably been in circulation since 2021 and infects Linux systems in order to secretly use them as proxy servers and for cryptomining. The malicious program can also act as a loader for other unwanted programs.
According to the analysis report, "Perfectl" has probably already attacked millions of servers. The authors of the report, Assaf Morag and Idan Revivo, estimate that the number of devices successfully infected by the malware is in the thousands. "Perfectl" searches for around 20,000 different types of misconfigurations that Linux servers can potentially exhibit – The chance that your own system is infected basically exists as soon as the server is connected to the Internet, Morag and Revivo clarify.
Malware uses servers for cryptomining
In all known cases, the malware executed a cryptominer. In some cases, proxy-jacking software was also used, according to the report. While the two analysts were carrying out sandbox tests with the malware, they also made an observation: it installed other programs in the background in order to secretly follow what was happening.
The malware camouflages itself particularly well and remains persistent on the target devices. Aqua Security was able to uncover a number of tactics. For example, "Perfectl" uses rootkits to conceal its presence. If a new user logs in, the malware immediately terminates all activities that could be conspicuous. If the user logs out again, the activities resume.
Communication via TOR server
Communication within the server runs via Unix sockets, while external communication is routed via Tor servers, making it impossible to trace. After installation, "Perfectl" deletes its binary files and continues to run as a background program. It copies itself from memory to various locations on the hard disk and uses misleading names.
In addition, "Perfectl" opens a backdoor on the server and "eavesdrops" on TOR communication. The program also attempts to exploit the Polkit vulnerability (CVE-2021-4043) to escalate its privileges. The vulnerability was patched last year in Apache RocketMQ, a messaging and streaming platform found on many Linux machines. This is probably a typical example of the malware's strategy of exploiting a number of variants of incorrectly configured or outdated systems.
Proxy service for cybercriminals?
Once Perfectl has successfully nested, it primarily operates cryptomining – Another source of income for the authors is apparently a proxy service for other cybercriminals. These can then route their Internet traffic through the hacked Linux servers to conceal their own identity. In addition, the malware acts as a loader and thus always offers the option of installing further programs on the affected servers.
A typical first symptom of the malware is an enormously high CPU load of almost 100 percent. The analysts provide further tips on how to recognize a possible "Perfectl" attack in their report.
Already a topic in many forums
The community has already taken note of the problems caused by the sophisticated malware. On various forums such as Reddit, for example, users have complained that they have tried to remove a strange program several times without success – and that it keeps reappearing even if they delete affected files completely.
The name "Perfectl" also emerged in numerous threads on various developer forums such as Reddit or Stack Overflow on the subject. Morag and Revivo then decided to adopt the name. Their report is likely to keep many Linux server admins busy in the near future.
(nen)
