www.aquasec.com
Open in
urlscan Pro
141.193.213.21
Public Scan
URL:
https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
Submission: On October 07 via api from DE — Scanned from US
Submission: On October 07 via api from DE — Scanned from US
Form analysis
0 forms found in the DOMText Content
perfctl: A Stealthy Malware Targeting Millions of Linux Servers Sign in Contact Support We're hiring! Aqua Security Platform Solutions Resources Company Platform Aqua Platform Unified Cloud Security Gain total lifecycle visibility, reduce risks and stop attacks with the most comprehensive, fully integrated Cloud Native Application Protection Platform (CNAPP) Platform overview * All platform Integrations * Aqua CNAPP in action Aqua Open Source Driving security innovation in the cloud native community * Trivy * Tracee Code Security * Scanning & Assurance Scan artifacts across the entire software development lifecycle * Software Supply Chain Security Protect your code, tools, and processes * Vulnerability Management Advanced Code-to-Cloud vulnerability management to reduce noise and fix fast Runtime Security * Container Security Full lifecycle advanced protection for containerized applications * Cloud Workload Protection (CWPP) Runtime protection for every cloud native workload * Hybrid-Cloud & Multi-Cloud Security Code to Cloud security for hybrid and multi-cloud deployments Posture Management * CI/CD Pipeline Security Automate DevSecOps * Kubernetes Security Holistic Kubernetes Security for the Enterprise * Cloud Security Posture Management Extend traditional CSPM with workload visibility What's New? * Combatting Phantom Secrets with Historical Secret Scanning * Securing GenAI: Safeguarding LLM-Powered Applications * Discover Cloud Security Issues Faster with Event-based Scanning Solutions Use Cases * Automate DevSecOps Security and speed without compromise * Detection and Response Cloud native detection & Response (CNDR) * Hybrid-Cloud & Multi-Cloud Security for hybrid and multi-cloud deployments * Prove Compliance Controls for PCI, HIPAA, GDPR, and beyond Solutions * Docker Security Enterprise-Grade security for Docker environments * AWS Cloud Security Protect cloud native workloads on AWS * Google Cloud Security Secure K8s apps on Google Cloud Platform * OpenShift Security Cloud Native Security for Red Hat OpenShift * VMware Tanzu Security Native security across VMware Tanzu * Azure Cloud Security Full Lifecycle Security for Azure Container Workloads Industry * Federal CNAPP solution for Federal Government * Financial Services One platform for financial services Whitepaper The 15 Riskiest AWS Misconfigurations Download Now Resources The best of cloud native Aqua Blog Expert insight, best practices and advice on cloud native security, trends, threat intelligence and compliance Read the Blog * SEC vs. SolarWinds: A Cybersecurity Game Changer for CISOs * Accenture and Aqua Partner to Empower Cloud Security Resources * Resources Center eBooks, Data sheets, Whitepapers, Webinars, and much more * The Cloud Native Channel Cloud native security webinars & videos * Aquademy The Aqua academy * Cloud Native Wiki The educational center for everything cloud native * Docker Containers * Software supply chain security * Cloud security * Kubernetes * Application Security * DevSecOps Aqua research team Security research focused on the cloud native stack to identify new threats and attack vectors More security research 2023 Annual Aqua Nautilus Research A Comprehensive Cloud Native Threat Report Company Recognized Leadership * CISO Choice Awards Winner for Cloud Workload Protection Platform (CWPP) * Forrester Consulting: The Total Economic Impact™ of Aqua CNAPP 90% Reduction in vulnerability research and detection time * Frost & Sullivan CNAPP report Top innovation leader * About Us * Customers * Partners * Newsroom * Upcoming Events * Careers * Support * Services Connect * Contact * Twitter * Facebook * Linkedin * Instagram News Aqua Launches VEX Hub Repository and Expands Trivy’s Scanning Capabilities Aqua Security Named a Representative Vendor in the 2024 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP) S3 shadow buckets leave AWS accounts open to compromise Search Get Started Aqua Blog PERFCTL: A STEALTHY MALWARE TARGETING MILLIONS OF LINUX SERVERS Security Threat Assaf MoragIdan Revivo October 3, 2024 In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you have a Linux server connected to the internet, you could be at risk. In fact, given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk. We discovered numerous incident reports in community forums, all describing indicators of compromise linked to this malware. The community has widely referred to it as the “perfctl malware,” and we have adopted this name. This post will explore the malware’s architecture, components, defense evasion tactics, persistence mechanisms, and how we managed to detect it. Perfctl is particularly elusive and persistent, employing several sophisticated techniques, including: * It utilizes rootkits to hide its presence. * When a new user logs into the server, it immediately stops all “noisy” activities, lying dormant until the server is idle again. * It utilizes Unix socket for internal communication and TOR for external communication. * After execution, it deletes its binary and continues to run quietly in the background as a service. * It copies itself from memory to various locations on the disk, using deceptive names. * It opens a backdoor on the server and listens for TOR communications. * It attempts to exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges. In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software. During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware. ELUSIVE MALWARE DOMINATES DEVELOPER FORUMS Our story begins with an attack we monitored on one of our honeypots. Typically, we check if anyone has already documented the attack, as this allows us to analyze it more thoroughly and compare our findings with those of other researchers. However, in this case, we found no report about the malware that had targeted our honeypot. What we did find, though, were numerous references to a perfctl malware, this immediately drew our attention, as this was one of the names of our malware. These are in various languages across several developer communities and forums, we carefully reviewed these posts and found that the indicators of compromise mentioned in them are the same as the ones we’ve seen in our attack. Usually in some of these posts you can find replies with links to reports about the malware written by researchers. But in this case, however, none of these had links to such reports. Here are some of the posts we came across: Reddit, freelancer, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others. The name perfctl comes from the cryptominer process that drains the system’s resources, causing significant issues for many Linux developers. By combining “perf” (a Linux performance monitoring tool) with “ctl” (commonly used to indicate control in command-line tools), the malware authors crafted a name that appears legitimate. This makes it easier for users or administrators to overlook during initial investigations, as it blends in with typical system processes. Towards the end of our research, we saw the first report covered by the researchers of Cado Security, but they only tell a very small part of the story of perfctl malware. THE ATTACK FLOW After exploiting a vulnerability (as in our case) or a misconfiguration, the main payload is downloaded from an HTTP server controlled by the attacker. In our case, the main payload was named httpd, and it demonstrated multiple layers of execution, showcasing a deliberate design to ensure persistence and evade detection. Once executed, the main payload copies itself from memory to a new location in the ‘/tmp’ directory, runs the new binary from there, terminates the original process, and then deletes the initial binary to cover its tracks. The main payload is now executed from the /tmp directory under a different name. Based on what we’ve seen the malware chose the name of the process that originally executed it, thus it looks less suspicious, if the system is examined. In our case the malware was executed by sh, thus the name of the malware was changed from httpd to sh. At this point, it functions as both a dropper and a local command-and-control (C2) process. The malware contains an exploit to CVE-2021-4043, which it is trying to run in order to gain root privilege on the server. The malware continues to copy itself from memory to half a dozen other locations, with names that appear as conventional system files. It also drops a rootkit and a few popular Linux utilities that were modified to serve as user land rootkits (i.e. ldd, lsof). A cryptominer is also dropped and in some executions, we also observed some proxy-jacking software transferred from a remote server and executed. As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior. All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system. Below is the complete attack flow: Figure 1: The entire attack flow As noted earlier, numerous files are written to disk or modified, primarily in the /tmp, /usr, and /root directories, as shown in the diagram below. Figure 2: Files dropped or written to disk In this blog and its appendices, we will explain the purpose of these files and the role each plays in the attack flow. PERFCTL ATTACK HIGHLIGHTS The main binary httpd is a packed, stripped and obfuscated ELF (MD5: 656e22c65bf7c04d87b5afbe52b8d800). If you type the download url in the browser the integer 1 is printed to screen. If you try downloading the .php file without a specific user agent, you will receive a file with the integer 1. This response indicates that this file is completely innocent. But if you use the correct user agent it will drop the malware (size of ~9mb). This is a clever way to conceal the malware. After it is downloaded and executed the malware copies itself from memory using another running process name, and it saves the process ID of that running process under /tmp/.apid. Figure 3: httpd is copying itself from memory Httpd then stops and deletes itself. This technique is called ‘process masquerading’ or ‘process replacement’ and it’s done for defense evasion and obfuscation. It can make security researchers life a bit harder to follow the malware execution flow. The new Httpd binary is now saved in the /tmp directory under the name of the process that executed it sh in our case, but we’ve also seen other names when we used other processes to run it. The binary sh is also copying itself from memory to various locations, as it saves itself as libpprocps.so and also as /root/.config/cron/perfcc, /usr/bin/perfcc, and /usr/lib/libfsnkdev.so. In annex 3 – The main payload below, we discuss in detail about this and explain our hypothesis to why the threat actor chose these names. This shows of a thought in regard to persistence as the malware author creates a lot of locations to which the malware is copied. PERSISTENCE The attacker modifies the ~/.profile script, which sets up the environment during user login. This script is designed to execute the malware first, followed by the legitimate workload expected to run on the server. It checks if /root/.config/cron/perfcc is an executable file, and if so, it runs the malware. Additionally, the script ensures that in Bash environments, the ~/.bashrc file is executed, applying user-specific configurations such as aliases and environment variables—likely to maintain normal server operations while the malware runs. Finally, the script suppresses mesg errors to avoid any visible warnings during execution. The binary wizlmsh is dropped to /usr/bin (MD5: ba120e9c7f8896d9148ad37f02b0e3cb). It is a very small binary (12kb), that runs as a service in the background. Initially, it receives argc, and argv, and verify the execution of main payload (httpd) after it is written into /tmp either as sh or bash or any other name. It is responsible for the persistence of perfctl malware. Figure 4: wizlmsh main function DEFENSE EVASION The rootkit has several purposes. One of the main purposes is to hook various functions and modify their functionality. The rootkit itself is an ELF 64-bit LSB shared object (.so) file named libgcwrap.so (MD5: 835a9a6908409a67e51bce69f80dd58a). The rootkit is using LD_PRELOAD to load itself before other libraries. Figure 5: The revised LD_Preload content It does various interesting manipulations, including hooking to Libpam symbols. Specifically, to the function pam_authenticate, which is used by PAM to authenticate users. Hooking or overwriting this function could allow unauthorized actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behavior of authentication mechanisms. Figure 6: Functions the rootkit hooks In addition, the rootkit is also designed to hook Libpcap symbols, specifically to the function pcap_loop, which is widely used for capturing network traffic. This is used to prevent recording of the malware traffic. The threat actors are also using a few user land rootkits. They drop a few legitimate utilities such as ldd. These utilities were modified to hide specific attack elements. So, if the rigged crontab is used, for instance, it won’t show cron jobs created during the attack. In the first step the malware replaces the /etc/profile so the path will be set on /bin/.local/bin:$PATH. In this path the threat actor is bypassing the directory where the utilities are called from. We’ve seen in some malware runs 2 binaries and in other 4 binaries, depending on which utilities exist originally on the server. In our attacks the malware dropped crontab, lsof, ldd and top. These tweaked binaries will hide malicious activities, in case someone is using them. Figure 7: The new content inserted by the threat actor to ‘/etc/profile’ In appendix 5 – User land rootkits we explain in detail why we think these utilities were chosen by the threat actor. MAIN IMPACT The main impact of the attack is resource hijacking. In all cases we observed a monero cryptominer (XMRIG) executed and exhausting the server’s CPU resources. The cryptominer is also packed and encrypted. Once unpacked and decrypted it communicates with cryptomining pools. As reflected in Figure 8 below, the cryptomining pools are accessed via TOR. Figure 8: Cryptomining traffic Moreover, in some of the attacks we’ve seen proxy-jacking via various vendors. We’ve seen the communication with the following domains: bitping.com, earn.fm, speedshare.app, and repocket.com. The domain repocket.com, for instance, is associated with the Repocket platform, which is a service that allows users to earn money by sharing their unused internet bandwidth. In addition, we can observe the usage of the bitping daemon usage, which provide similar bandwidth payment services. Figure 9: Logging in to bitping TOR COMMUNICATION The binary sh is also initiating communication via Tor with few servers (i.e. 80.67.172.162, 176.10.107.180, 78.47.18.110, 95.217.109.36, 145.239.41.102). While the communication is encrypted, you can observe the TOR log left on our honeypot. Figure 10: TOR sessions log ADDITIONAL THREAT INTELLIGENCE We recorded several dozen attacks of perfctl. We saw 3 download servers involved in these attacks (46.101.139.173, 104.183.100.189 and 198.211.126.180). The first two IP addresses seem to be linked to vulnerable servers that were previously hacked by the threat actor and the third one could be owned by the threat actor. All 3 IP addresses store and hide artifacts used in this campaign. In most of the attacks we see that the binaries were dropped from IP address 46.101.139.173. An inspection of this IP address showed that this is a compromised webserver. Figure 11: Compromised website serves as download server Iterating over this download server, we see a compromised site on a server in Germany. We noticed some artifacts, well-hidden between the site’s scripts. We see 3 main payloads. One is avatar.php, which was used as part of the attack on our honeypot. When using the browser to reach to the webpage with avatar.php or downloading it without a specific user agent leads to 1 being displayed of screen or a .php file with the digit 1. In addition, there is another file named aoip, which was uploaded 2 months later and two others dark.css and csdark.css which were uploaded later. Figure 12: Files hosted on the webserver Figure 13: Files hosted on the webserver Figure 14: Files hosted on the webserver The binary aoip is a replication of the main payload (sh/httpd). Csdark.css and dark.css weren’t analyzed during this research but look very interesting. On IP address 198.211.126.180 we found just the file checklist.php which is the main payload (sh/httpd). Figure 15: Compromised website serves as download server On IP address 104.183.100.189 we found another innocent compromised website. Figure 16: Compromised website serves as download server It looks like this website stores this XML file which when decoded (base64) is actually the rconf script. Figure 17: malicious XML From what we see on these websites, there are few artifacts used to execute the exploitation of misconfigured and vulnerable (in our recorded attacks) Linux servers. We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration. In the table below you can see the analysis of the paths, which shows that perfctl is mainly looking to exploit misconfigurations. Category Count of Paths Example Paths Potential Vulnerability Credentials 1,717 /access_credentials.json, /access_keys.json, /accesskeys.php Potential for unauthorized access to credentials, sensitive token or key exposure Configuration 12,196 Typical files include .conf, .ini, .json, .xml configurations Misconfigurations could lead to security weaknesses Login 1,362 Paths include login, auth, signin, admin related files Risks of unauthorized access through login interfaces Unknown 4,647 Paths not fitting the above categories Unknown, requires further investigation DETECTION OF “PERFCTL” MALWARE To detect Perfctl malware you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server. These may indicate cryptomining activities, especially during idle times. MONITORING SUSPICIOUS SYSTEM BEHAVIOR 1. Inspect /tmp, /usr, and /root directories for suspicious binaries, especially hidden or masquerading as system files (e.g., perfctl, sh, libpprocps.so, perfcc, libfsnkdev.so). Inspect your /home directory, look for /.local/bin directory with various utilities installed such as ldd, top etc. 2. Monitor processes for high resource usage, such as binaries like httpd or sh behaving unusually or running from unexpected locations like /tmp. 3. Check system logs for modifications to ~/.profile, and /etc/ld.so.preload files. NETWORK TRAFFIC ANALYSIS 1. Capture network traffic to detect TOR-based communication to external IPs like 80.67.172.162, 176.10.107.180, etc. 2. Look for outbound connections to cryptomining pools or proxy-jacking services. 3. Monitor traffic to known malicious hosts or IPs (e.g., 46.101.139.173, 104.183.100.189, and 198.211.126.180). FILE AND PROCESS INTEGRITY MONITORING Detect modifications in key system utilities like ldd, top, lsof, and crontab, which might have been replaced with trojanized versions. LOG ANALYSIS Review logs for unauthorized use of system binaries, presence of suspicious cron jobs, and errors in mesg to detect possible tampering. DETECTION OF “PERFCTL” MALWARE WITH AQUA SECURITY First, we can see some runtime incidents. Below you can see alerts indicating some new binaries were dropped and executed, meaning a drift in our container, in addition to shared object dropped during runtime. These are the additional httpd malware files and the rootkit. Figure 18: Incidents screen on Aqua Security Platform We can continue the investigation of this attack by examining the audit logs of these incidents. During this incident there were above 22K audit events, thus we will need to search for specific events, namely, to investigate the attack. Figure 19: Audit logs screen on Aqua Security Platform We can filter on specific hosts, containers, enforce groups, cloud resources or even pods. We decided to search for specific events based on the MITRE framework. We used the masquerading technique which is used to describe dropped and executed events. There were 465 incidents, we can now go over all the files that were dropped (or modified) during the attack. Figure 20: Audit logs screen on Aqua Security Platform We can learn for instance about the swapping of some binaries with user land rootkits. Figure 21: Audit logs screen on Aqua Security Platform You can also learn about inbound traffic or setting up port listening. Figure 22: Audit logs screen on Aqua Security Platform MITIGATION OF “PERFCTL” MALWARE 1. Patch Vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications such as RocketMQ servers and CVE-2021-4043 (Polkit). Keep all software and system libraries up to date. 2. Restrict File Execution: Set noexec on /tmp, /dev/shm and other writable directories to prevent malware from executing binaries directly from these locations. 3. Disable Unused Services: Disable any services that aren’t required, particularly those that may expose the system to external attackers, such as HTTP services. 4. Implement Strict Privilege Management: Restrict root access to critical files and directories. Use Role-Based Access Control (RBAC) to limit what users and processes can access or modify. 5. Network Segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially TOR traffic or connections to cryptomining pools. 6. Deploy Runtime Protection: Use advanced anti-malware and behavioral detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl. APPENDICES APPENDIX 1: INITIAL ACCESS CVE-2023-33246 is a vulnerability found in RocketMQ, which is a software that manages messages. This vulnerability allows unauthorized execution of commands on systems where RocketMQ is installed. This issue occurs because RocketMQ does not adequately check who is trying to access it, which means anyone, even without permission, can make changes or execute commands. The problem is made worse because the parts of RocketMQ that handle storing and delivering messages were not designed to be directly accessible over the internet, and they don’t require authentication for performing sensitive operations like updating settings. This makes it relatively easy for attackers to exploit this vulnerability. The initial access was gained via this vulnerability (CVE-2023-33246), led to download and execution of the shell script rconf with the following command: Figure 23: Execution script In Figure 24 below, you can observe the entire rconf script, next we will do a breakdown and explanation of the content. Figure 24: The rconf script APPENDIX 2: EXECUTION SCRIPT ANALYSIS As depicted in Figure 25 below, the script starts with a function that appears to perform a simplified HTTP GET request using a TCP socket directly, mimicking some basic behavior of the curl command. The threat actor is using this, in case the targeted server doesn’t contain curl or wget. Figure 25: A snippet from the rconf script, illustrating implementation of a HHTP get request command As you can see in Figure 26 below, the script continues with a simple if condition, that will ensure that the targeted attacked server OS architecture is x86_64. This shows that the threat actor is targeting specific architecture and won’t run on arm for instance. Figure 26: A snippet from the rconf script, illustrating inspection of the targeted host architecture Next, the threat actor verifies that the /tmp directory exists and has read, write, and execute permissions. This directory will be used later to store logs, which the malware will update and from which the malware will read instructions or system status. Figure 27: A snippet from the ‘rconf’ script, illustrating inspection the ‘/tmp’ path As illustrated in Figure 28 below, the threat actor also verifies that the /tmp directory is mounted with executable permissions. If the noexec option is found in the mount options (no execution permissions), it remounts /tmp with the exec option, allowing execution of binaries from the /tmp directory. This might be necessary for scripts or applications that require executing temporary files stored in /tmp. Figure 28: A snippet from the ‘rconf’ script, illustrating further inspection of the ‘/tmp’ directory In addition, the threat actor is creating two directories under /tmp path, which will be used later as auxiliary when running the main payload. Figure 29: A snippet from the ‘rconf’ script, illustrating creation of directories under the ‘/tmp’ path Next the threat actor is setting the environment variable A2ZNODE to localhost, if it is not already defined. Figure 30: A snippet from the ‘rconf’ script, illustrating inspection of the environment variables In addition, the threat actor is also setting the environment variable VEI to rmq which can stand for vulnerability exploited index to RocketMQ or something similar. Next, this script processes the /tmp/.xdiag/vei file by appending the value of the VEI variable (rmq) to it. If the file /tmp/.xdiag/vei does not exist or is empty, it checks if a secondary file /tmp/.xdiag/vei.1 exists. If it does, the script processes the contents of /tmp/.xdiag/vei, sorts and removes duplicates, and appends the value of VEI. If /tmp/.xdiag/vei.1 does not exist, it directly writes the value of VEI to /tmp/.xdiag/vei. Finally, it unsets the VEI variable Figure 31: A snippet from the ‘rconf’ script, illustrating preparation of the ‘/tmp’ directory for the malware operation and logging Finally, this script manages the installation of the main payload by ensuring no other instances are running, downloading the necessary file, and starting a web server. It uses either curl, wget, or the custom download function (mentioned above), verifies the downloaded file, and runs it if valid. The script also includes safeguards to prevent multiple installations from occurring simultaneously. This is important because the initial curl of this script rconf runs iteratively various times throughout the attack. Figure 32: A snippet from the ‘rconf’ script, illustrating download and installation of the malware under the name ‘httpd’ Now the main payload avatar.php was downloaded, renamed to httpd and executed, we can focus on this binary. APPENDIX 3: THE MAIN PAYLOAD (‘HTTPD’ AND ‘SH’) ANALYSIS Analysis of httpd The binary httpd is a packed ELF (MD5: 656e22c65bf7c04d87b5afbe52b8d800) bears many detections in VirusTotal, including general Linux Trojan, Coinminer, Exploitation tool for CVE-2021-4034, malware dropper etc. Our analysis shows that in a way all these detections are correct, as in a nutshell this is a multipurpose malware-dropper that contains all the above. Its operation is very interesting as it incorporates dozens of techniques to remain hidden and persistent. Based on our analysis below we speculate the campaign with this malware started about a year ago, and it remained quite anonymous and undetected. As per the main payload, it is named in the download server as avatar.php, after it is downloaded, it’s renamed to httpd. The machine is fingerprinted by various commands such as uname −a, then it starts unpacking itself. Next, the httpd executable is copied from the running process into to /tmp directory, as illustrated in Figure 33 below. What’s interesting is that it finds the name of the process name that ran it, and saves itself under the /tmp directory with the same name. It also saves the pid under the /tmp/.apid. Lastly, httpd deletes itself. Figure 33: httpd copies itself from memory This technique is called “process masquerading” or “process replacement”. It is often done for the following reasons: 1. Defense Evasion: By deleting the original binary and copying itself to another location, the malware avoids detection from static file-based security measures that might be monitoring the original location. The /tmp directory is a common target because it is typically writable and frequently used for temporary files, making it less suspicious. 2. Obfuscation: Deleting the original binary and killing itself can make it harder for security analysts to trace back the activity to the original payload, thereby complicating forensic analysis. Analysis of sh The binary sh (MD5: 656e22c65bf7c04d87b5afbe52b8d800) is an exact copy of httpd. After sh is executed, it sleeps for 10 minutes. Next it collects information about the OS. Next, sh drops nine binaries. Four are exact duplication of sh/httpd. A cryptominer and a rootkit (discussed below in ‘The Rootkit’ section). There are 3 lean binaries ldd, top and wizlmsh. The first 2 are user land rootkits, in some executions we also saw lsof and crontab. Wizlmsh is used to ensure the malware is running. The malware opens a Unix socket to communicate with all the process it will run in the future. Via /tmp/.xdiag/int/.per.s, it writes logs, which will later be used by other dropped components as part of the attack. The malware is also running various operations such as shutting down security controls, as seen in the example below: Figure 34: Shutting down security controls The binary sh is also copying itself from memory to various location, as illustrated below it saves itself as libpprocps.so and also as /root/.config/cron/perfcc, /usr/bin/perfcc, and /usr/lib/libfsnkdev.so. Figure 35: sh copying itself from memory This is a tactic used for persistence, stealth, and possibly for privilege escalation. Below we discuss the various path chosen: 1. The path /root/.config/cron/perfcc: This path is quite deceptive because it mimics a configuration directory under the root user, which might be overlooked by security scans assuming it’s a legitimate config file. The inclusion of cron in the path suggests an attempt to associate the malware with cron jobs. 2. The path /usr/bin/perfcc: The path /usr/bin is a standard directory for executable programs accessible to all users. Placing malware here could allow it to be executed like a normal system command, making detection harder. Naming the malware perfcc might be an attempt to masquerade as a legitimate system utility or command, reducing suspicion. 3. The binaries /usr/lib/libpprocps.so and /usr/lib/libfsnldev.so: These paths suggest the malware is impersonating shared libraries. /usr/lib is commonly used for storing shared libraries required by installed applications. The path libpprocps.so might be intended to appear related to the legitimate procps, a library and set of commands that includes utilities like ps, top, etc., which are used to display information about currently running processes. The choice of these paths generally reflects a strategy to blend in with normal system operations, either by appearing as a utility or library that might regularly be executed or loaded by other processes. APPENDIX 4: THE MAIN ROOTKIT (LIBGCWRAP.SO) The rootkit has several purposes. One of the main purposes is to hook various functions and modify their functionality. The rootkit itself is an ELF 64-bit LSB shared object (.so) file named libgcwrap.so. The rootkit is using LD_PRELOAD to load itself before other libraries. As illustrated in Figure 36 below, the rootkit strings are encrypted with XOR and this function is iterating through an array, while performing XOR decryption on each element in the array. Figure 36: XOR decrypt array You can see in Figure 37 below the xor_decrypt function responsible to decrypt a string by iterating over each byte of the input string, doing XOR with the key 0xAC. Figure 37: XOR decrypt It does various interesting manipulations, including hooking to Libpam symbols. Specifically, to the function pam_authenticate, which is used by PAM to authenticate users. Hooking or overwriting this function could allow unauthorized actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behavior of authentication mechanisms. In addition, the rootkit is also designed to hook Libpcap symbols, specifically to the function pcap_loop, which is widely used for capturing network traffic. Below we discuss what the attacker is trying to do with these hookings: 1. Network Traffic Manipulation: By hooking pcap_loop, an attacker could alter the behavior of applications that rely on libpcap for capturing network traffic. This could include security monitoring tools, network analyzers, and other systems that perform packet analysis. Manipulating this function could lead to missed detections, altered traffic logs, or leakage of sensitive data. 2. Data Eavesdropping: The hooked function might be modified to stealthily copy certain data passing through the network to a location controlled by an attacker, effectively creating a data exfiltration pathway. 3. Persistence and Evasion: Placing malicious code in /tmp and hooking critical functions like pcap_loop can be part of a strategy to maintain persistence on a host with minimal detection. This setup allows an attacker to continue malicious activities even after primary payloads are detected and removed. APPENDIX 5: USER LAND ROOTKITS ‘TOP’, ‘LDD’, ‘CRONTAB’ AND ‘LSOF’ The malware Perfctl is dropping in the path /home/???/.local/bin/ 4 binaries. In our case top, ldd, lsof and crontab. Below is the snippet executing top: Figure 38: top execution As seen in Figure 38 above, in the first row the script checks if the environment variable ABWTRX is set, if it exists this shell script won’t run. This is probably to check if the binary originally exists on the server or not. Next the variables r and m are defined as top and perfctl accordingly. We assume that perfctl in this case is the object to hide which is the cryptominer. Next the script iterates over the /.local/bin binaries to save them in the environment variable PATH. Now the script checks if the environment variable AAZHDE is set. Just a reminder. The initial script, when the server is first compromised, sets the environment variable AAZHDE. This is an inspection to verify that the “normal” course of the execution of this malware remains. Probably to evade sandbox execution. If AAZHDE is set, the binary top is executed passing all the arguments that were passed during the script execution. If AAZHDE isn’t set, the script executes various commands. Including, 2 trap commands. These trap commands execute deletion of the directory /tmp/smpr when the script exists or if it is interrupted by a user. It then recreates /tmp/smpr than it sets the environment variable AAZHDE as 1. Next, the cryptominer is stopped, and the file /tmp/.apid is deleted. Finally, AAZHDE is unset and top is executed. Lastly, the environment variable AAZHDE is unset and the binary top is executed. Below is the snippet executing ldd: Figure 39: ldd execution This snippet is very similar to the one of top. As seen in Figure 37 above, in the first row the script checks if the environment variable ABWTRX is set, if it exists this shell script won’t run. This is probably to check if the cryptominer is running or not (we will get to that next), if the cryptominer is running this script exits, otherwise it runs and executes the cryptominer. The binary top receives 2 parameters, as pointer to an executable and a pointer to the argv. It performs multiple steps including initialization, environment setup, cryptographic operations, data manipulation, and eventually executing another program. It also runs infinite loop to keep the process running in the background. Figure 40: top binary You can see two functions modify_lookup_table_with_offset and libc_xor_cipher, which are used to de-obfuscate various sections in memory. Next, there are several checks of the environment variables and errors. Lastly, if all conditions are met, we see and execution of a binary (provided as argument during top execution). Figure 41: top binary Top is used for real-time monitoring of system performance and processes. Thus, if a developer encounters a slowdown in the system corresponding to cryptomining activity and asks to check the cpu of all running processes, the new tempered with top will not show the cryptominer’s cpu consumption. Ldd is used to display the shared libraries (dynamic dependencies) required by an executable or a shared library. It shows which libraries an application depends on, as well as the paths to those libraries. The threat actor wants to hide malicious libraries and dependencies used by the malware, preventing detection during inspections. Crontab is used to schedule and manage recurring tasks (cron jobs) to run at specified times on Linux/Unix systems. lsof Lists open files and shows which processes are using them, including files, sockets, and network connections. This makes perfect sense that the threat actor is trying to modify the results of these utilities as they may be used by developers or security engineers to evaluate the server and understand what is attacking the machine. APPENDIX 6: UNIX SOCKET COMMUNICATION The binary sh is opening a Unix socket to write and read from various files in the /tmp directory. In the table below we review these files: # Path Use 1 /tmp/.xdiag/cp Malware pathname 2 /tmp/.xdiag/exi victim’s IP address 3 /tmp/.xdiag/p Malware Int marker 4 /tmp/.xdiag/elog Events log 5 /tmp/.xdiag/ver Malware version (string) 6 /tmp/.xdiag/uid User ID 7 /tmp/.xdiag/int/.e.lock Malware Int marker 8 /tmp/.xdiag/hroot/cp Malware pathname 9 /tmp/.xdiag/hroot/hscheck Heartbeat check 10 /tmp/.xdiag/tordata/control_auth_cookie.tmp Cookie 11 /tmp/.xdiag/tordata/cached-certs.tmp Certificates cache 12 /tmp/.xdiag/tordata/cached-microdesc-consensus.tmp Tor data 13 /tmp/.xdiag/tordata/state.tmp State of TOR logs For instance, as illustrated in Figure 40 below, in the file below the malware inserted the result of ls on the /tmp directory. Figure 42: lgctr file content APPENDIX 7: INDICATIONS OF COMPROMISE (IOCS) Type Value Comment IP Addresses IP Addresses 211.234.111.116 Attacker IP IP Addresses 46.101.139.173 Download server IP Addresses 104.183.100.189 Download server IP Address 198.211.126.180 Download server Domains Domains bitping.com Proxy-jacking service Domains earn.fm Proxy-jacking service Domains speedshare.app Proxy-jacking service Domains repocket.com Proxy-jacking service Files Binary file MD5: 656e22c65bf7c04d87b5afbe52b8d800 Malware Binary file MD5: 6e7230dbe35df5b46dcd08975a0cc87f Cryptominer Binary file MD5: 835a9a6908409a67e51bce69f80dd58a Rootkit Binary file MD5: cf265a3a3dd068d0aa0c70248cd6325d Idd Binary file MD5: da006a0b9b51d56fa3f9690cf204b99f top Binary file MD5: ba120e9c7f8896d9148ad37f02b0e3cb wizlmsh Subscribe for Security Alerts Learn about discovered new vulnerabilities, threats, and attacks that target containers, Kubernetes, serverless, and public cloud infrastructure Thanks! Stay tuned for updates Published under: SECURITY RESEARCH Tags: Security Threats Assaf Morag Assaf is the Director of Threat Intelligence at Aqua Nautilus, where is responsible of acquiring threat intelligence related to software development life cycle in cloud native environments, supporting the team's data needs, and helping Aqua and the broader industry remain at the forefront of emerging threats and protective methodologies. His research has been featured in leading information security publications and journals worldwide, and he has presented at leading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE ATT&CK Container Framework. Assaf recently completed recording a course for O’Reilly, focusing on cyber threat intelligence in cloud-native environments. The course covers both theoretical concepts and practical applications, providing valuable insights into the unique challenges and strategies associated with securing cloud-native infrastructures. Idan Revivo Idan is the Head of Security Research at Aqua Security. He manages a team of researchers who are focused on threat hunting and vulnerability research in containers, serverless, and cloud native technologies. Related Blog Posts Table of Contents * Elusive Malware Dominates Developer Forums * The Attack Flow * Perfctl Attack Highlights * Additional Threat Intelligence * Detection of “Perfctl” Malware * Detection of “Perfctl” Malware with Aqua Security * Mitigation of “Perfctl” Malware * Appendices Need to secure enterprise workloads? Aqua Cloud Native Application Protection Platform (CNAPP) Go cloud native with the experts! Get Demo Aqua Security Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises. Use Cases * Automate DevSecOps * Modernize Security * CNDR Cloud Native Detection & Response * Compliance and Auditing * Serverless Containers & Functions * Hybrid and Multi Cloud * Federal Cloud Native Security Environments * Kubernetes Security * OpenShift Security * AWS Security * Azure Cloud Security * Google Cloud Security * Security for VMware Tanzu * Docker Security Partners * Technology Partners * Partner With Us Resources * Aqua Security Research * The Cloud Native Wiki * Kubernetes 101 * AWS Cloud Security * Docker 101 * The Cloud Native Channel * O’Reilly Book: Kubernetes Security * CNAPP 101 * CSPM 101 About Us * About Aqua * Newsroom * Careers * Brand Guidelines * Trust & Security * Aqua Cloud Native Protection FAQ * Professional services Get in Touch * Aqua Blog * Contact Us * Success Portal Products * Cloud Native Security Platform * CSPM Cloud Security * Container Security * Kubernetes Security * Serverless Security * Cloud VM Security * Dynamic Threat Analysis (DTA) * Container Vulnerability Scanning * Open Source Container Security * Platform Integrations Get Started Copyright © 2024 Aqua Security Software Ltd. Privacy Policy | Terms of Use | Cookie Settings | Accessibility Tools Normal text size Medium text size Large text size -------------------------------------------------------------------------------- Normal display Black & White display High contrast display -------------------------------------------------------------------------------- Stop transitions and animations Underline Links Aqua Named a Representative Vendor in the New Gartner® Market Guide for CNAPP Learn More 🡲