A new report has highlighted how some hackers are not interested in having malware or viruses installed on the target endpoints, but instead work at bringing their entire toolbox to the victim’s device, which would then help them pick and choose the best malicious tool for each individual target.
Research from Sysdig, which calls the method “Bring Your Own Filesystem”, or BYOF for short, has found that so far, the method works on Linux devices, thanks to a vulnerable utility called PRoot.
According to Sysdig, the threat actors would create an entire malicious filesystem on their own devices, and then have it downloaded and mounted on the compromised endpoint. That way, they get a preconfigured toolkit helping them compromise Linux systems even more.
Installing cryptojackers
“First, threat actors build a malicious filesystem which will be deployed. This malicious filesystem includes everything that the operation needs to succeed,” Sysdig said in its report. “Doing this preparation at this early stage allows all of the tools to be downloaded, configured, or installed on the attacker's own system far from the prying eyes of detection tools.”
Although so far the software company only observed the method being used to install cryptocurrency miners on these devices, it says the potential for more disruptive and damaging attacks is there.
PRoot is a utility tool that allows users to create isolated root filesystems on Linux. While the tool is designed to have all the processes running within the guest filesystem, there are ways to mix host and guest programs, which is what the threat actors are abusing. Furthermore, programs running in the guest filesystem can use the built-in mount/bind mechanism to access files and directories from the host system.
Apparently, abusing PRoot to deliver malware is relatively easy, as the tool is statically compiled and doesn’t require additional dependencies. All hackers need to do is download the precombined binary from GitLab and mount it on the target endpoint.
“Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional setup commands,” Sysdig says. “The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute.”
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba