From Perfctl to InfoStealer

Description

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to footprint the host, search for files/credentials, and exfiltrate data. TruffleHog, a credentials scanner, is downloaded and used. The attacker searches for interesting files using a large list of regular expressions, inspects processes and their memory, and checks for Docker containers. The malware replicates itself by creating new binaries with different names. Collected data is archived and exfiltrated. This demonstrates that seemingly simple cryptominers can lead to data theft and further system compromise.