Linux malware “perfctl” behind years-long cryptomining campaign
A Linux malware named "perfctl" has been targeting Linux servers and workstations for at least three years, remaining largely undetected through high levels of evasion and the use of rootkits.
According to Aqua Nautilus researchers who discovered perfctl, the malware likely targeted millions of Linux servers in recent years and possibly caused infections in several thousands of them.
This is based on numerous reports by victims of the malware submitted to online discussion forums, all containing indicators of compromise exclusively associated with perfctl activity.
According to Aqua Nautilus, the primary purpose of perfctl is for cryptomining, using the compromised servers to mine the hard-to-trace Monero cryptocurrency. However, it could be easily used for more damaging operations.
Aqua Nautilus believes that the threat actors exploit misconfigurations or exposed secrets to breach Linux servers. These misconfigurations range from publicly accessible files that contain credentials to exposed login interfaces.
