Protecting against advanced malware like perfctl requires a multi-layered approach. While signature-based detection effectively identifies known variants, perfctl can evolve and evade these methods.
To stay protected from future strains, combine signature-based and behavioral-based monitoring to detect suspicious and malicious unknown activity. With flexible runtime policies, you have the control to automatically stop threats like perfctl in real time or take action based on your security needs.
Step-by-Step Guide
1. Access Enforcer Settings
Log in to the Aqua console and navigate to Administration > Enforcers
2. Edit Enforcer Group
Select the Enforcer group you want to configure and click Edit
3. Enable Behavioral Detection
In the Advanced Settings tab, locate Behavioral Detection and toggle it to Enable
For more prevention and remediation strategies, including Aqua’s Advanced Malware Protection (AMP) visit our Support Portal.
perfctl Exposed: A Researcher’s Journey into a Hidden Campaign
This case was particularly interesting. We began by updating several of our behavioral signatures based on recent attacks we had observed and deployed new honeypots. Almost immediately, we noticed a distinct attack pattern emerging.
As we gathered more forensic evidence, it became clear that we had uncovered an ongoing campaign. To validate our findings, we searched for additional evidence in blogs and reports by other security researchers. Comparing notes with the broader security community helped us better analyze and understand such campaigns. We specifically looked for Indicators of Compromise (IoCs) or Indicators of Attack (IoAs)—unique markers that could be linked to this specific activity.
Surprisingly, we found no comprehensive analysis of this campaign. However, we did come across numerous discussions about these attacks in developer and DevOps forums. Intrigued by our findings, we conducted a full analysis and discovered sophisticated techniques used by the attackers to conceal their operations.
Our investigation revealed that this campaign had been active for at least 3–4 years, exploiting tens of thousands of misconfigurations and known vulnerabilities to target Linux servers in cloud native environments. The extent of their efforts was stunning, not only had they accumulated a vast number of misconfigurations and vulnerabilities, but they had also invested heavily in evading detection. The fact that they remained undiscovered by security researchers for so long underscored the severity of the attack and its potential impact.
Don’t wait for an attack to reveal the gaps!
Contact your Aqua Sales Representative or Customer Success Manager today to learn how you can strengthen your container security and prevent real-world attacks.
For more detailed information about the perfctl, read our blog perfctl: A Stealthy Malware Targeting Millions of Linux Servers
