Contact

From Perfctl to InfoStealer

NetmanageIT OpenCTI - opencti.netmanageit.com

From Perfctl to InfoStealer



SUMMARY :

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to footprint the host, search for files/credentials, and exfiltrate data. TruffleHog, a credentials scanner, is downloaded and used. The attacker searches for interesting files using a large list of regular expressions, inspects processes and their memory, and checks for Docker containers. The malware replicates itself by creating new binaries with different names. Collected data is archived and exfiltrated. This demonstrates that seemingly simple cryptominers can lead to data theft and further system compromise.

OPENCTI LABELS :

malware,data exfiltration,linux,rootkit,cryptominer,stealth,perfctl,trufflehog


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From Perfctl to InfoStealer