Misconfigured Linux servers are being targeted in an active campaign deploying stealthy malware called perfctl, primarily for running cryptocurrency miners and proxyjacking software.

"Perfctl is particularly elusive and persistent, employing several sophisticated techniques," said Aqua Security researchers Assaf Morag and Idan Revivo.

"When a new user logs in, it stops all 'noisy' activities, lying dormant until the server is idle. After execution, it deletes its binary and continues to run quietly in the background as a service."

Cado Security previously disclosed some aspects of this campaign, describing attacks on internet-exposed Selenium Grid instances using cryptocurrency mining and proxy jacking software.

Perfctl exploits a Polkit vulnerability (CVE-2021-4043, PwnKit) to escalate privileges to root and deploy a miner named perfcc. The name "perfctl" appears to be chosen to blend in with legitimate system processes, as "perf" refers to a Linux performance monitoring tool, and "ctl" is commonly used in command-line utilities.

The attack chain exploits a vulnerable Apache RocketMQ instance to deliver a payload named "httpd." Once executed, it copies itself to "/tmp," runs the new binary, terminates the original process, and deletes the initial file to cover its tracks.

The malware is also engineered to drop a rootkit to evade defence and execute proxy jacking software from a remote server.

To mitigate the risk of perfctl, it is recommended to keep systems updated, restrict file execution, turn off unused services, enforce network segmentation, and use Role-Based Access Control (RBAC).

"To detect perfctl, watch for unusual CPU spikes or system slowdowns during idle periods, which may indicate crypto mining activities," the researchers advised.