Executive Summary
Perfectl is a malware family that targets misconfigured Linux servers. In a recent campaign, Perfectl was observed deploying cryptominers and proxyjacking software.
Key Takeaways
- Perfectl is a malware family that targets misconfigured Linux servers.
- In a recent campaign, Perfectl was observed deploying cryptominers and proxyjacking software.
- Perfectl It is known for remaining stealthy and having the capability to exploit over 20,000 misconfigurations.
- Perfectl was observed exploiting CVE-2023-33246 and CVE-2021-4043.
What is Perfectl?
Perfectl is a malware family that targets misconfigured Linux servers. In a recent campaign, Perfectl was observed deploying cryptominers and proxyjacking software. Aqua Nautilus reported on this activity.
Perfectl has been active since at least 2021. It is known for remaining stealthy and having the capability to exploit over 20,000 misconfigurations. Some of the vulnerabilities exploited by Perfectl include CVE-2023-33246, a vulnerability affecting the Apache RocketMQ open-source distributed messaging and streaming middleware framework and CVE-2021-4043, a vulnerability allowing privilege escalation in the Linux polkit package. In an attempt to remain undetected, Perfectl uses process and file names that are similar to those of legitimate files found in Linux environments.
Other methods Perfectl uses to evade detection include stopping easily detected activities when a new user logs in, communicating via a Unix socket over TOR, deleting its installation binary and running as a background service, using hooking to manipulate the Linux process pcap_loop so admin tools do not record malicious traffic, and suppressing mesg errors during execution.
To maintain persistence, Perfectl modifies the ~/.profile script and copies itself from memory to multiple disk locations. The above mentioned hooking of pcap_loop can also contribute to maintaining persistence after primary payloads are removed.
Perfectl uses the victim machine to mine cryptocurrency. It also turns the machine into a proxy that can be leveraged for monetary gain, giving paid customers the ability to use that machine as a relay for internet traffic. The malware uses a rootkit and changes certain system utilities to hide the Monero cryptominer and proxyjacking activity.
IOCs
PolySwarm has multiple samples associated with this activity.
31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
E16fb2a22fce5241565784b5a8518ed2becc9948d4c398093edbb70a946f9331
db81c115407267801b7c32bd3da0533306c7c586a82839ffe324e8794e3dcc01
A6d3c6b6359ae660d855f978057aab1115b418ed277bb9047cd488f9c7850747
ca3f246d635bfa560f6c839111be554a14735513e90b3e6784bedfe1930bdfd6
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f Perfectl
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.