How ‘perfctl’ malware infected millions of Linux servers undetected for years

Many of these files accompany deployed applications and contain sensitive information such as credentials or access tokens, but should not be readable by external users. Unfortunately, such misconfigurations are common. For example, security researchers recently reported that attackers harvested .env files from approximately 110,000 domains, leading to the disclosure of over 90,000 unique environment variables, 7,000 of which correspond to cloud services.

Multi-stage malware deployment

Once they gain access to the system, attackers will attempt to execute a shell script called rconf to perform several checks, set environment variables, and download the main payload. For example, it checks whether the /tmp directory exists, is writable, and has execute permissions. If not, it tries to mount it. It also checks if the system architecture is x86_64 as it will not run on ARM or other types of processors.

The script then downloads a file called avatar.php, saves it in the /tmp directory under the name httpd – the name typically used by the Apache web server process – and then executes it. Interestingly, a request to download avatar.php from the attacker’s servers must have a specific user agent to receive the malicious payload. Otherwise, the server will provide a harmless php file.