Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

From Perfctl to InfoStealer

Oct. 9, 2024, 3:35 p.m.

Description

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to footprint the host, search for files/credentials, and exfiltrate data. TruffleHog, a credentials scanner, is downloaded and used. The attacker searches for interesting files using a large list of regular expressions, inspects processes and their memory, and checks for Docker containers. The malware replicates itself by creating new binaries with different names. Collected data is archived and exfiltrated. This demonstrates that seemingly simple cryptominers can lead to data theft and further system compromise.

Date

Published: Oct. 9, 2024, 2:15 p.m.

Created: Oct. 9, 2024, 2:15 p.m.

Modified: Oct. 9, 2024, 3:35 p.m.

Indicators

22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

169.155.242.252

http://104.183.100.189/common/backup.list

Attack Patterns

perfctl

T1069

T1074

T1087

T1005

T1021

T1016

T1518

T1082

T1057

T1083

T1071

T1055

T1020

T1036

T1204

T1033

T1049

T1027

T1041

T1059