Hidden malware has been infecting thousands of Linux systems for years

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (German), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many more .

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from the server, which in most cases has been hacked by the attacker and turned into a conduit for anonymous distribution of malware. The attack that targeted the researchers’ honeypot was called httpd. Once executed, the file is copied from memory to a new location in the /temp directory, runs it, then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file is executed under a different name that mimics the name of a known Linux process. The file hosted on Honeypot was named sh. From there, the file establishes a local command and control process and attempts to gain root access by exploiting CVE-2021-4043, a privilege escalation vulnerability patched in 2021 in Gpac, a widely used open source multimedia platform.

The malware then copies itself from memory to several other locations on disk, again using names that resemble regular system files. The malware then drops a rootkit, a collection of popular Linux tools that have been modified to act as rootkits, and a mining tool. In some cases, the malware also installs “proxy hijacking” software, which means that it secretly routes traffic through the infected machine so that the true origin of the data is not revealed.

The scientists continued:

As part of a command and control operation, the malware opens a Unix socket, creates two directories in the /tmp directory, and stores data there that affects its operation. This data includes host events, copy locations, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data, which further affects its execution and behavior.

All binaries are packed, stripped and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when a new user is detected in btmp or utmp files and destroying competing malware to maintain control over the infected system.

Extrapolating data such as the number of Internet-connected Linux servers across various services and applications tracked by services such as Shodan and Censys, researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say the pool of vulnerable machines – those that have not yet patched CVE-2023-33426 or contain the misconfiguration vulnerability – runs into the millions. Researchers have not yet measured the amount of cryptocurrency generated by malicious miners.

People looking to determine whether their device has been targeted or infected by Perfctl should look for the compromise indicators included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, especially if they occur during periods of idleness. Thursday’s report also includes actions aimed primarily at preventing infections.

This story originally appeared on Ars Technica.