The new Linux malware “Perfctl” is targeting millions of servers globally by mimicking legitimate system files to evade detection. Discovered by Aqua Nautilus, the malware exploits misconfigurations and vulnerabilities, primarily for cryptomining and hijacking system resources. It has been active for several years but recently gained attention after attacking a honeypot.
Perfctl uses rootkits and advanced evasion techniques, such as suspending activity when new users log in and using Unix sockets and the Tor network to hide its operations. The attack starts by downloading a payload, which replicates itself across the system under different names to ensure persistence. The malware’s primary goal is cryptomining, but it also engages in proxy-jacking and attempts to exploit the Polkit vulnerability (CVE-2021-4043) for root access.
To mitigate risks, system administrators are advised to keep their systems updated, conduct vulnerability assessments, and use robust security measures like firewalls and endpoint protection.