{"id":197057,"date":"2024-10-05T03:23:12","date_gmt":"2024-10-05T08:23:12","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2024\/10\/new-perfctl-malware-targets-linux-servers-for-cryptocurrency-mining-and-proxyjacking"},"modified":"2024-10-05T03:23:12","modified_gmt":"2024-10-05T08:23:12","slug":"new-perfctl-malware-targets-linux-servers-for-cryptocurrency-mining-and-proxyjacking","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2024\/10\/new-perfctl-malware-targets-linux-servers-for-cryptocurrency-mining-and-proxyjacking","title":{"rendered":"New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/new-perfctl-malware-targets-linux-servers-for-cryptocurrency-mining-and-proxyjacking.jpg\"><\/a><\/p>\n<p>\u201cWhen a new user logs into the server, it immediately stops all \u2018noisy\u2019 activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.\u201d<\/p>\n<p>It\u2019s worth noting that some aspects of the campaign were <a href=\"https:\/\/thehackernews.com\/2024\/09\/exposed-selenium-grid-servers-targeted.html\">disclosed<\/a> last month by Cado Security, which detailed an activity cluster that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software.<\/p>\n<p>Specifically, the fileless perfctl malware has been found to exploit a security flaw in Polkit (CVE-2021\u20134043, aka PwnKit) to escalate privileges to root and drop a miner called perfcc.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cWhen a new user logs into the server, it immediately stops all \u2018noisy\u2019 activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service.\u201d It\u2019s worth noting that some aspects of the campaign were disclosed last month by Cado Security, [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1761,34,418],"tags":[],"class_list":["post-197057","post","type-post","status-publish","format-standard","hentry","category-cryptocurrencies","category-cybercrime-malcode","category-internet"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/197057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=197057"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/197057\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=197057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=197057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=197057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}