Stealthy Malware Has Infected Thousands of Linux Systems for Years

Other forums include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from the server, which, in most cases, is hacked by the attacker and turned into a malware distribution channel anonymously. The attack targeting the researchers’ honeypot named the httpd payload. Once extracted, the file copies itself from memory to a new location in the /temp directory, executes it, then terminates the initial process and deletes the downloaded binary.

When moved to the /tmp directory, the file runs under a different name, mimicking the name of a well-known Linux process. The file stored in the hive was named sh. From there, the file establishes a command-and-control environment and attempts to gain root system privileges by exploiting CVE-2021-4043, an escalation of privilege vulnerability that was discovered in 2021 in Gpac, a widely used open source media framework.

The malware continues to copy itself from memory to several other disk locations, and uses names that appear as system files. The malware then drops a rootkit, a number of popular Linux utilities modified to act as rootkits, and mining. In some cases, the malware also includes software for “proxy hijacking,” a term for secretly routing traffic through an infected machine so that the true origin of the data is not revealed.

The researchers continued:

As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data where it influences its operation. This data includes hosting events, copy locations, processing names, connection logs, tokens, and additional log information. Additionally, the malware uses local variables to store data that greatly affects its performance and behavior.

All binaries are full, stripped, and encrypted, indicating significant efforts to bypass security measures and prevent reverse engineering efforts. The malware also uses advanced evasion techniques, such as stopping its activity when it detects a new user in btmp or utmp files and terminating any competing malware to maintain control of the infected system.

By extracting data such as the number of Linux servers connected to the Internet across various services and applications, as tracked by services such as Shodan and Censys, researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say the number of vulnerable machines — meaning those that haven’t yet installed the CVE-2023-33426 patch or contain vulnerable vulnerabilities — is in the millions. Researchers have yet to measure the amount of cryptocurrency produced by malicious miners.

People who want to determine if their device is targeted or infected with Perfctl should check the vulnerability indicators included in Thursday’s post. They should also be aware of unusual spikes in CPU usage or sudden system slowdowns, especially during periods of inactivity. Thursday’s report also provides measures to prevent disease in the first place.

This story appeared first Ars Technica.