nerdculture.de

Zeitpunkt              Nutzer    Delta   Tröts        TNR     Titel                     Version  maxTL
Di 08.10.2024 00:00:02     7.193      -2      648.351    90,1 NerdCulture               4.2.13   1.000
Mo 07.10.2024 00:00:10     7.195      -1      647.793    90,0 NerdCulture               4.2.13   1.000
So 06.10.2024 00:01:09     7.196      -1      647.168    89,9 NerdCulture               4.2.13   1.000
Sa 05.10.2024 00:00:05     7.197       0      646.565    89,8 NerdCulture               4.2.13   1.000
Fr 04.10.2024 00:01:14     7.197      -1      645.738    89,7 NerdCulture               4.2.13   1.000
Do 03.10.2024 00:01:11     7.198  +7.198      644.985    89,6 NerdCulture               4.2.13   1.000
Mi 02.10.2024 00:00:06         0  -7.200            0     0,0                                       0
Di 01.10.2024 00:01:15     7.200      -3      643.758    89,4 NerdCulture               4.2.13   1.000
Mo 30.09.2024 00:01:15     7.203      -2      643.128    89,3 NerdCulture               4.2.12   1.000
So 29.09.2024 00:01:09     7.205       0      642.447    89,2 NerdCulture               4.2.12   1.000

Olly 👾 (@Olly42) · 01/2024 · Tröts: 322 · Folger: 35

Di 08.10.2024 13:23

New [Perfctl] Malware Targets Linux Servers for Cryptocurrency Mining & Proxyjacking. :linux:

According to Aqua Nautilus researchers who discovered perfctl, the malware likely targeted millions of Linux servers in recent years and possibly caused infections in several thousands of them.

https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

#linux #server #perfctl #stealthy #malware #it #security #privacy #engineering #technology #media #news

According to Aqua Nautilus, the primary purpose of perfctl is for cryptomining, using the compromised servers to mine the hard-to-trace Monero cryptocurrency. However, it could be easily used for more damaging operations. The researchers have also observed exploitation of CVE-2023-33246, a remote command execution impacting Apache RocketMQ versions 5.1.0 and older, and CVE-2021-4034 (PwnKit), an elevation of privilege flaw in Polkit.

[ImageSource: Aqua Nautilus]

Locations where the malware drops files.

Once initial access is established, the packed and obfuscated payload, named

[ImageSource: Aqua Nautilus] Locations where the malware drops files. Once initial access is established, the packed and obfuscated payload, named "httpd", is downloaded from the attacker's server and executed. It then copies itself in the /tmp directory under the "sh" name and then deletes the original binary. The new process assumes the same name ("sh"), essentially blending with normal Linux system operations. Additional copies are created in other system locations, such as "/root/.config", "/usr/bin/" and "usr/lib" to ensure persistence in the case of a cleanup.

[ImageSource: Aqua Nautilus] Overview of perfctl attack flow. When launched, perfctl opens a Unix socket for internal communications and establishes an encrypted channel with the threat actor's servers over TOR, making it impossible to decipher the exchange. It then drops a rootkit named 'libgcwrap.so' which hooks into various system functions to modify authentication mechanisms and intercept network traffic as needed to facilitate evasion. Additional userland rootkits are also deployed, replacing the ldd, top, crontab and lsof utilities with trojanized versions, again, preventing direct detection of the malware's activities. Finally, an XMRIG miner is dropped onto the system and executed to mine Monero using the server's CPU resources.

[Öffentlich] Antw.: 0 Wtrl.: 1 Fav.: 0 · via Metatext

Antw. · Weiterl. · Fav. · Lesez. · Pin · Stumm · Löschen