A new report has highlighted the fact that some hackers are not interested in installing malware or viruses on the targeted devices, but instead strive to bring their entire set of tools to the victim's device, which would help them to choose the best malicious tool for each. individual. objective.

Sysdig's research, which calls the method "Bring Your Own Filesystem," or BYOF for short, found that the method has worked so far on Linux devices, thanks to a vulnerable utility called PRoot.

According to Sysdig, the threat actors would create an entire malicious file system on their own devices, then download and mount it on the compromised endpoint. This way, they get a preconfigured set of tools that helps them further compromise Linux systems.

Installation of cryptojackers

“First, the threat actors create a malicious file system that will be deployed. This malicious file system includes everything the operation needs to be successful,” Sysdig said in his report. "Doing this preparation at this early stage allows all the tools to be downloaded, configured, or installed on the attacker's own system away from the prying eyes of the detection tools."

Although the software company has so far only looked at the method used to install cryptocurrency miners on these devices, it says the potential exists for more disruptive and damaging attacks.

PRoot is a utility tool that allows users to create isolated root file systems on Linux. Although the tool is designed so that all processes run in the guest file system, there are ways to mix host and guest programs, which are abused by threat actors. Also, programs running on the guest file system can use the built-in mount/bind mechanism to access files and directories on the host system.

Apparently, abusing PRoot to spread malware is relatively easy, since the tool is statically compiled and requires no additional dependencies. All hackers have to do is download the prepackaged binary from GitLab and mount it on the target endpoint.

"Any dependencies or configurations are also included in the file system, so the attacker doesn't need to run any additional configuration commands," Sysdig explains. "The attacker executes PRoot, points it to the malicious unpacked file system, and specifies the XMRig binary to run."

Via: BleepingComputer (Opens in a new tab)

Share This