Stealth malware has infected thousands of Linux systems for years

Other discussions include: reddit, Stack Overflow (Spanish), forobeta (Spanish), brain (Russian), nat network (Indonesian), Proxmox (German), camel2243 (Chinese), svr forum (Korean), exabytes, virtual minute, server crash and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server that, in most cases, has been hacked by the attacker and turned into a channel to distribute the malware anonymously. An attack targeting the researchers’ honeypot named the payload httpd. Once executed, the file is copied from memory to a new location in the /temp directory, executed, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file runs under a different name, which mimics the name of a known Linux process. The file hosted in the honeypot was named sh. From there, the file establishes a local command and control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege escalation vulnerability that was patched in 2021 in Gpac, a widely open source multimedia framework. used.

The malware continues to copy itself from memory to a handful of other disk locations, once again using names that appear like routine system files. The malware then places a rootkit, a series of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs “proxy hijacking” software, the term for surreptitiously routing traffic through the infected machine so that the true origin of the data is not revealed.

The researchers continued:

As part of its command and control operation, the malware opens a Unix socket, creates two directories in the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of its copies, process names, communication logs, tokens, and additional logging information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

All binaries are packaged, decompressed, and encrypted, indicating significant efforts to bypass defense mechanisms and thwart reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and removing any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the Internet through various services and applications, as tracked by services such as Shodan and Censys, researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say the pool of vulnerable machines, meaning those that have not yet installed the patch for CVE-2023-33426 or contain a vulnerable misconfiguration, is in the millions. Researchers have yet to measure the amount of cryptocurrency malicious miners have generated.

People who want to determine if their device has been attacked or infected by Perfctl should look for indicators of compromise included in Thursday post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, especially if they occur during idle times. Thursday’s report also provides measures to prevent infections in the first place.

This story originally appeared on Ars Technique.