This Reddit comment on the CentOS subreddit is typical. An administrator noticed that two servers were infected with a cryptocurrency hijacker named perfcc and perfctl. The manager wanted help investigating the cause.
“I only became aware of the malware because my monitoring setup alerted me to 100% CPU usage,” the administrator wrote in the April 2023 post. “However, the process immediately stopped when I logged in via SSH or console. As soon as I logged out, the malware became active again within seconds or minutes.” The manager continued:
I tried to remove the malware by following the steps described on other forums, but to no avail. The malware always manages to restart as soon as I log out. I also searched the entire system for the string “perfcc” and found the files below. However, removing it did not solve the problem. because it keeps respawning every time it restarts.
Other discussions include: Reddit, Stack Overflow (Spanish), pre-beta (Spanish), brainycp (Russian), wetnetwork (Indonesian), Proxmox (German), Camel2243 (Chinese), svrforum (Korean), exabytes,>virtualmin,>server error and many others.
After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which in most cases has been hacked by the attacker and turned into a channel for spreading the malware anonymously. An attack targeting the researchers' honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, executes it, and then terminates the original process and deletes the downloaded binary.
Once moved to the /tmp folder, the file is run under a different name, which mimics the name of a well-known Linux process. The file hosted on the honeypot was called sh. From there, the file sets up a local command-and-control process and attempts to gain root system privileges by exploiting CVE-2021-4043, a privilege escalation vulnerability patched in 2021 in Gpac, a widely used open source multimedia framework.