Nothing Perfect About The "Perfctl" Malware Strain: How Can It Harm Your Organization?

January 23, 2025

Researchers have discovered a new malware strain called Perfctl, which is targeting Linux systems. This malware is particularly dangerous because it can function as a loader, a proxy, and a cryptocurrency miner.

Perfctl has been around since at least 2021 and has infected thousands of Linux endpoints. It is deployed by exploiting misconfigurations or a severe vulnerability (CVE-2023-33426) in Apache RocketMQ. Once installed, Perfctl remains hidden and persistent, making it difficult for users to remove.

The malware's primary function is to mine cryptocurrency, but it can also serve as a proxy for anonymizing traffic and as a loader to deploy other programs.

According to the source:

… it can also serve as a proxy for a commercial service, with other crooks paying to have their traffic routed through these devices and thus anonymized. Finally, the malware can serve as a loader, to deploy other programs as necessary. https://www.techradar.com/pro/security/linux-systems-are-being-hit-by-a-wide-ranging-and-dangerous-new-malware (Oct. 04, 2024).

Commentary

The source article mentions Perfctl can use your system as a "proxy for a commercial service".

Translated, that means an infected server would act as an online intermediary hiding the IP address and other identifying information of the criminal, making their online activities harder to trace. Like money laundering, it covers the tracks of the criminals so they can commit other crimes.

The harm of being a "proxy" is that it drains the performance of your system. It also could lead to your system being part of a criminal investigation from authorities as they try to crack down on an international crypto-theft ring. Either way, you want to avoid it.

Perfctl also acts as a loader. A loader is a tool that installs and runs additional malicious software on an infected system including spyware that is often used to perform sophisticated business email compromise scams. Moreover, loaders like Perfctl are preferred tools used by hackers because they allow the hackers to continually update the malware or add new functionalities without needing to reinfect the system.

This is especially concerning because as defensive mechanisms are employed to detect or eliminate malware strains, online criminals can counter by updating Perfctl and other malware downloaded by Perfctl.

The final takeaway is that malware strains like Perfctl search for crypto. That is the grand prize. However, if they do not find crypto, there is still a lot of ongoing and stealthy damage it can do to a system.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Negligent Security Measures Continue To Cost Healthcare Organizations

A radiology clinic is tagged with a million-dollar-plus data breach settlement. The plaintiffs cite negligent security measures as the reason. What does that mean? We answer.

Tip-Related FLSA Violations: A Danger Zone For Employers

Employers who make sure tip pools comply with FLSA requirements can avoid this growing risk. We examine.

Would A Four-Day Workweek Work For U.S. Employers? You Make The Call

Employees in the United Kingdom with four-day workweeks report greater productivity and higher satisfaction. Would a four-day workweek work for U.S. employers? You make the call.

Nothing Perfect About The "Perfctl" Malware Strain: How Can It Harm Your Organization?

"Perfctl" is a new malware strain and it is creating concern. Why is it a huge risk?

Give Me A Break: The Risks With Failure To Comply With State Break Laws For Healthcare Organizations

Workers at a medical center are awarded more than $4M for litigation regarding breaks. We examine and provide a prevention checklist.