Linux Malware ‘perfctl’ Targeting Millions of Servers: A Detailed Analysis

A dangerous Linux malware named ‘perfctl’ has been wreaking havoc on servers for over three years, causing concern among cybersecurity experts. This stealthy malware is designed to use 100% of the CPU to mine the virtual currency ‘Monero’, leading to millions of servers being targeted and thousands being affected.

The existence of perfctl was first reported by security company Aqua, but reports of its activities have been circulating on the internet for several years. Users have complained about a process called perfctl consuming all of their CPU resources, indicating the malware’s presence.

Aqua’s analysis of perfctl revealed that the malware establishes internal and external communication routes upon startup, using UNIX domain sockets and Tor to execute the Monero mining tool ‘XMRig’. The malware also creates various files on the target machine to evade detection and extend its uptime.

To detect perfctl, Aqua recommends monitoring for suspicious files in specific directories, CPU spikes, unexpected processes running, changes to system logs, Tor communications to specific IP addresses, connections to cryptocurrency mining pools, and known malicious IP addresses. Additionally, monitoring for replaced system binaries and analyzing logs for misuse of system binaries, suspicious cron jobs, and falsified error messages can help identify the presence of perfctl.

As the threat of perfctl continues to loom over Linux servers, it is crucial for system administrators to remain vigilant and implement robust security measures to protect their systems from this dangerous malware.