A recent incident highlighted on the CentOS subreddit reveals a growing threat to server security, as an administrator reported systems infected with a cryptocurrency hijacker known as perfcc and perfctl. The administrator became aware of the compromise following alerts from their monitoring setup indicating 100% CPU usage, which raised immediate suspicions of unauthorized activity on the servers.
The admin noted that upon logging into the systems via SSH or console, the malicious process halted, suggesting it was designed to evade detection during active monitoring. However, the hijacker quickly resumed its operations once the administrator logged out, indicating a robust persistence mechanism that complicates removal efforts. Despite thorough searches for the malware and attempts at manual deletion, the administrator’s efforts were met with failure as the malware invariably reactivated upon system reboot.
This incident underscores the challenges faced by system administrators in combating sophisticated malware that exploits vulnerabilities or misconfigurations. The common technique for such attacks involves downloading a payload from compromised servers, often leveraging previously hacked infrastructures to obscure the malicious activities. In one recent analysis, the payload was named httpd and, upon execution, it created copies in temporary directories, adopting names that mimic legitimate Linux processes—specifically, a file referred to as sh.
From this new location in the /tmp directory, the malware establishes local command-and-control capabilities. It can escalate privileges by exploiting known vulnerabilities, such as CVE-2021-4043, a privilege escalation flaw in Gpac, an open-source multimedia framework. This tactic points toward a calculated approach to gain deeper system access and maintain persistence.
Targeted operations like these are indicative of broader trends in cyber threats, highlighting the need for constant vigilance. The potential tactics and techniques employed in this attack align with several components of the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation. Business owners must recognize the increasing sophistication of these threats and invest in proactive measures to safeguard their infrastructure against such intrusions.
As the landscape of cyber risks continues to evolve, timely awareness and response strategies will be crucial for businesses to defend against similar attacks, ensuring system integrity and security in an increasingly hostile digital environment.
