Linux systems are being targeted by a dangerous new malware that can serve as a loader, a proxy, and a cryptocurrency miner.
Called Perfctl, the malware was recently spotted by cybersecurity researchers from Aqua Security, who claim it has been around since at least 2021, and has so far infected thousands of Linux endpoints. There are two main ways threat actors deploy Perfctl – either by exploiting thousands of possible misconfigurations, or by abusing a 10/10 vulnerability discovered last year.
Misconfigurations can be pretty much anything, from weak passwords to anything else. As for the vulnerabilities, the researchers saw CVE-2023-33426 being abused. This is an out-of-bounds read flaw with a severity score of 10/10, found in the messaging and streaming platform Apache RocketMQ.
Proxy and loader
Once the malware is deployed, it goes the extra mile to remain hidden, and persistent, leaving users Reddit complaining they were unable to remove the malware from their devices, even after deleting multiple components.
When it works, Perfctl can do a number of things. Its most prominent feature seems to be mining cryptocurrency for the attackers. However, it can also serve as a proxy for a commercial service, with other crooks paying to have their traffic routed through these devices and thus anonymized. Finally, the malware can serve as a loader, to deploy other programs as necessary.
So far, the researchers have not determined who is behind the attack, or what their end goal is. They added that while the number of infected devices is in the thousands, the number of potential targets is in the millions – suggesting that Linux system operators should be on the lookout for potential indicators of compromise.
Via Ars Technica
This sneaky Linux malware went undetected for years, and is using all-new attack tacticsHere’s a list of the best firewall software around todayThese are the best endpoint security tools right now