Hackread reports that millions of Linux servers around the world have been subjected to intrusions with the newly discovered perfctl malware during the past few years.
Attacks commence with the targeting of vulnerable Apache RocketMQ servers with perfctl, which would then download the primary payload httpd for persistence and concealment before its execution to facilitate cryptocurrency mining and proxyjacking activities, according to an analysis from Aqua Nautilus. Researchers also found that perfctl not only leveraged the Polkit flaw, tracked as CVE-2021-4043, for privilege escalation but also utilized sophisticated rootkit and evasion methods. "Given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk," said Aqua Nautilus, which recommended the implementation of regular security updates, intrusion detection systems, and endpoint protection tools to mitigate such a threat.