The Perfectl Malware, named after a component surreptitiously mining cryptocurrency, is a highly sophisticated malware exploiting over 20,000 common misconfigurations to potentially target millions of Internet-connected machines; it can also exploit a severe vulnerability in Apache RocketMQ on Linux machines. Designed for stealth, the malware uses identical Linux file and process names and installs components as rootkits, making it hard to detect. It employs various evasion techniques, like running as a background service, using TOR for external communications, and manipulating processes to prevent detection
It ensures persistence by modifying scripts and copying itself to multiple locations. Besides mining cryptocurrency, it functions as a profit-making proxy and a backdoor for installing other malware, suggesting government involvement, possibly North Korea known for hacking cryptocurrency. The complexity of the malware surpasses typical state-sponsored attacks, raising questions about its attribution. https://www.schneier.com/blog/archives/2024/10/perfectl-malware.html