Perfectl Malware
Perfectl in an https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/
of malware:
The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.
The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users...
https://www.schneier.com/blog/archives/2024/10/perfectl-malware.html
Schneier on Security (RSS Feed) /
npub1pq…l0mzp
2024-10-14 11:06:27
Author Public Key
npub1pq90j4vh97m4qtpmrzl6gzfhwc6pvxsmuzcvrrhnl2xqpp7xjy4q2l0mzpPublished at
2024-10-14 11:06:27Event JSON
{
"id": "6f733c88ed9395dc2ff8c1a98cb2158d6a6e596eb61f7ce82c57b90dbb4e307b",
"pubkey": "080af955972fb7502c3b18bfa409377634161a1be0b0c18ef3fa8c0087c6912a",
"created_at": 1728903987,
"kind": 1,
"tags": [
[
"t",
"Uncategorized"
],
[
"t",
"attribution"
],
[
"t",
"cryptocurrency"
],
[
"t",
"hacking"
],
[
"t",
"Linux"
],
[
"t",
"malware"
],
[
"proxy",
"https://www.schneier.com/feed/atom/#https%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2024%2F10%2Fperfectl-malware.html",
"rss"
]
],
"content": "Perfectl Malware\n\nPerfectl in an https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/\n of malware:\nThe malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.\nThe researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users...\n\nhttps://www.schneier.com/blog/archives/2024/10/perfectl-malware.html",
"sig": "e41827ec2d336028fe77eaae48585ea9bed42271b518b0c0334960d213d6ba9799b25280979d175687fb62a46a465a5f158a10c2fee5ab3adb7c5ea3cc781deb"
}