From Perfctl to InfoStealer
Oct. 9, 2024, 3:35 p.m.
Tags
External References
Description
A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to footprint the host, search for files/credentials, and exfiltrate data. TruffleHog, a credentials scanner, is downloaded and used. The attacker searches for interesting files using a large list of regular expressions, inspects processes and their memory, and checks for Docker containers. The malware replicates itself by creating new binaries with different names. Collected data is archived and exfiltrated. This demonstrates that seemingly simple cryptominers can lead to data theft and further system compromise.
Date
Published: Oct. 9, 2024, 2:15 p.m.
Created: Oct. 9, 2024, 2:15 p.m.
Modified: Oct. 9, 2024, 3:35 p.m.
Indicators
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
169.155.242.252
http://104.183.100.189/common/backup.list
Attack Patterns
perfctl
T1069
T1074
T1087
T1005
T1021
T1016
T1518
T1082
T1057
T1083
T1071
T1055
T1020
T1036
T1204
T1033
T1049
T1027
T1041
T1059