Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Researchers warn that the Linux PRoot utility is now frequently used by threat actors in BYOF (Bring Your Own Filesystem) attacks. Unfortunately, the technique can be successfully used on various Linux distributions, like Ubuntu, Fedora, or Alpine.
What`s a BYOF Attack?
When threat actors create a malicious filesystem that holds a typical set of hijacking tools, and they do this on their own device, we call it a Bring Your Own Filesystem (BYOF) attack.
After being downloaded and launched on compromised machines, the malicious filesystem offers cybercriminals a prefigured toolkit they will use in order to keep compromising the Linux system.
How Do Cybercriminals Use PRoot
The PRoot open-source utility was not meant to be a malicious item, but to improve compatibility and help system administrators do their job easier.
Without any privileges or setup, it allows users to employ an arbitrary directory as the new root filesystem and make files accessible somewhere else in the filesystem hierarchy.
It combines commands like chmod, mount, and binfmt_misc in order to isolate completely from the host the new filesystem. In this new guest filesystem, one can execute custom jobs and use the host resources, for example. Although the PRoot processes are limited to the guest filesystem, one can use QEMU emulation for mixing programs execution of host and guest.
According to cyber researchers
First, threat actors build a malicious filesystem which will be deployed. Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional setup commands.
The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute.
What`s the Gain for Hijackers
Researchers warn that the technique can be used for many harmful scenarios, the attacks rather target cryptocurrency mining.
Exploiting PRoot can also easily increase the number of malicious operations against Linux endpoints, according to researchers.
Pre-built PRoot filesystems allow threat actors to use their toolkit across various OS configurations while they don`t even have to port their malware to the target or include build tools.
Using PRoot, there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution
The universal wish of hackers “write once, run everywhere” is now a dream come true.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
