New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Summary:
Linux servers are under threat from a stealthy malware known as "perfctl," aimed at running cryptocurrency mining and proxyjacking software. This malware employs advanced evasion tactics, remaining inactive during user activity and deleting its own files to avoid detection. It exploits a vulnerability in Polkit (CVE-2021-4043) to gain root access and install the miner. The name "perfctl" is a deliberate attempt to mimic legitimate system processes. The attack typically involves exploiting vulnerable Apache RocketMQ instances to deliver the malware. Once activated, perfctl hides itself by copying to different locations and may also download additional proxyjacking tools from remote servers.

Security Officer Comments:
The perfctl malware campaign illustrates the growing complexity of cyber threats targeting Linux environments, especially those accessible online. Its ability to disguise itself as legitimate activity poses significant challenges for security teams in identifying and mitigating such threats.

Suggested Corrections:
To mitigate the risks associated with perfctl, organizations should implement several key strategies: regularly update all systems and software to address known vulnerabilities.

Link(s):
https://thehackernews.com/2024/10/new-perfctl-malware-targets-linux.html