# Analyzing and Addressing the Perfcc and Perfctl Cryptocurrency Hijacker on Linux Servers
In April 2023, a system administrator raised an alarming issue on the CentOS subreddit, detailing the infection of two servers by a cryptocurrency hijacker. The malware, recognized by the process names **perfcc** and **perfctl**, was utilizing 100% of the CPU resources. Despite the admin’s efforts to eliminate the malware, it continued to exist, rebooting after each restart and avoiding detection when the admin accessed the system.
This situation is not an isolated case. Similar accounts have emerged across various forums and communities, such as Stack Overflow, Proxmox, and ServerFault, suggesting that this malware has impacted numerous Linux systems, particularly those operating on CentOS and Ubuntu. This article will delve into the characteristics of the **perfcc** and **perfctl** malware, its functionality, and methods to eradicate and prevent such infections.
## The Characteristics of the Perfcc and Perfctl Malware
### Cryptocurrency Hijacking
The **perfcc** and **perfctl** malware are indicative of a rising trend in cryptocurrency hijacking, also termed **cryptojacking**. This type of malware infiltrates servers and commandeers their processing power to mine cryptocurrencies, such as Monero, without the consent of the owners. The malware is engineered to operate covertly, frequently terminating or concealing its processes when the system administrator logs in, complicating detection efforts.
### Infection Vector
The malware predominantly takes advantage of known vulnerabilities or misconfigurations within Linux systems. In numerous instances, attackers employ automated tools to scour the internet for susceptible servers. Upon discovering a vulnerability, the attacker activates a payload that retrieves the main malware from a remote server. In the case of the honeypot utilized by researchers, the payload was designated **httpd**, a name that mimics a genuine Linux process.
Following the download, the malware relocates itself to the `/tmp` directory, renames itself to imitate a recognized process (e.g., **sh**), and sets up a local command-and-control (C2) process. This C2 process permits the attacker to remotely manipulate the infected system, often seeking to elevate privileges by exploiting vulnerabilities like **CVE-2021-4043**, a privilege-escalation vulnerability in the GPAC multimedia framework.
### Persistence Mechanism
One of the most aggravating elements of the **perfcc** and **perfctl** malware is its persistence. Even after the admin eradicates the malware files, it is capable of restarting after a system reboot. This occurs because the malware installs itself in a manner that allows it to respawn autonomously. It may establish cron jobs, systemd services, or alter startup scripts to ensure it is executed again after each reboot.
## Identifying the Perfcc and Perfctl Malware
### Indicators of Infection
The primary indicator of infection is **high CPU usage**. In the Reddit thread, the admin observed that CPU utilization reached 100%, which is typical for cryptojacking malware. However, the malware is designed to halt or obscure its activities when the admin logs in via SSH or console, complicating detection through conventional monitoring tools.
Other indicators of infection include:
– **Suspicious processes**: Processes like **perfcc** and **perfctl** running in the background, often disguising themselves as legitimate system processes.
– **Elevated resource consumption**: The system may become sluggish or unresponsive due to the malware’s consumption of CPU and memory resources.
– **Unexplained network traffic**: The malware may establish communication with a remote C2 server, resulting in unexpected outbound network traffic.
### Investigative Methods
To probe the presence of the malware, admins can pursue the following steps:
1. **Observe CPU usage**: Utilize tools such as `top` or `htop` to monitor CPU usage and identify any questionable processes.
2. **Examine running processes**: Execute `ps aux` to display all running processes and scrutinize those with names like **perfcc**, **perfctl**, or any unfamiliar titles.
3. **Look for malware files**: Deploy the `find` command to locate files associated with the malware. For instance:
“`bash
find / -name “perfcc” -o -name “perfctl”
“`
4. **Review cron jobs and startup scripts**: Investigate any suspicious cron jobs or alterations to startup scripts that may restart the malware after a reboot:
“`bash
crontab -l
cat /etc/rc.local
“`
## Eliminating the Perfcc and Perfctl Malware
### Step 1: Terminate Malicious Processes
Initially, pinpoint and terminate any active instances of the malware. Use the `ps` command to ascertain the process IDs (PIDs) of the malicious processes and terminate them:
“`bash
ps aux | grep perfcc
ps aux | grep perfctl
kill -9
