It’s Hard To Spot And Even Harder To Get Rid Of
Perfctl is a nasty piece of malware which has recently been discovered and as a testament to it’s sneaky nature, security researchers believe it has been spreading undetected on Linux systems since 2021. It disguises it’s existence by using the names of files and processes that would run on a normal Linux system, and doesn’t interfere with the running of those legitimate processes. It is capable of detecting when someone logs into an system to stop or slow it’s activities, so you won’t notice system slowdowns or CPU spikes when you investigate a system’s behaviour. To make things even more miserable, it makes use of pcap_loop to hide from administrative tools a sysadmin would use if they noticed something was slightly off, and it is able to suppress system messages which might give it’s existence away.
If you do manage to spot it removing it is a right pain, many system admins have tracked down and deleted every Perfctl related file they could find, but upon the next reboot the infection returns. One thing you can do to try to protect yourself from infection or reinfection is to ensure you have patched exploit CVE-2023-33426. Ars Technica links to resources on how to try to detect the presence of Perfctl on your systems, and ways to avoid it infecting you if your systems are currently safe.
As for removing it if you are infected, there are suggestions but unfortunately none of them seem to work every time.