Blog

Oct 5, 2024

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Posted by in categories: cryptocurrencies, cybercrime/malcode, internet

“When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.”

It’s worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed an activity cluster that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.

Specifically, the fileless perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021–4043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc.

Leave a reply