Posted on December 7, 2022 at 5:36 PM
Recently, online criminals started abusing the open-source operating system Linux, or rather, its PRoot utility. Hackers have started conducting tacos on Bring Your Own Filesystem (BYOF), which allowed them to provide a consistent repository of malicious tools that can be used across many Linux distributions.
Essentially, the BYOF attack allows cybercriminals to create malicious filesystems on their own devices. The filesystems are made with all the standard tools used for conducting attacks, and they then get downloaded on Linux devices, where they also get mounted, making the machine compromised.
In addition to that, the filesystem uses preconfigured toolkits to compromise the system even deeper, essentially taking over control over the device entirely. A report by Sysdig described this Linux hijacking, adding that threat actors built filesystems to have everything that they might need in order for their operation to succeed.
The curious part is that the hackers seemingly did a lot of preparation in the early stage, which allows all of the tools to be quickly downloaded, configured, and/or installed on their own systems, where no detection tools can register them.
Usually, these attacks are conducted in order to hijack machines and use them for cryptocurrency mining, although this is only one of the potential uses. In fact, using them to mine cryptos would be one of the least harmful scenarios. With this being the case, Sysdig researchers warned that it is very easy to use this new method for scaling malicious operations against Linux endpoints.
As mentioned, the hackers are conducting an attack that abuses the Linux PRoot utility. PRoot is an open-source utility, which combines several commands, including ‘mount — bind,’ ‘chroot,’ and ‘binfmt_mise.’ In doing so, it allows users to create isolated root filesystems on a device that uses the Linux OS.
PRoot processes are set to be confined in the guest filesystem by default. But, QEMU emulation can be used to switch things around, and mix guest and host program executions. Furthermore, programs from the guest filesystem can also use the mechanism for mounting and binding, which comes built into it. This allows it to access files and directories from any part of the host system.
Sysdig’s report said that the observed attacks are using PRoot to deploy malicious filesystem on systems that were already compromised. These networks have scanning tools like nmap and masscan, the XMRig cryptominer, as well as configuration files. In other words, everything needed to conduct a successful attack is already included, all neatly packaged in a Gzip-compressed file, and then dropped from trusted cloud hosting services, like DropBox.
PRoot does not require dependencies, and it statistically complies, so threat actors simply need to download the precompiled binary from GitLab and execute it against the downloaded and extracted filesystem. That is all that is needed for it to be mounted. According to Sysdig, the attackers unpack the filesystem on ‘/tmp/Proot/’ in majority of cases, which is then followed by the activation of the XMRig cryptominer.
The report explains that the filesystem also includes all needed dependencies or configurations, so there is no need to run additional setup commands. In continuation, Sysdig added that the attacker would launch PRoot, point it toward the unpacked filesystem, and specify the XMRig binary to execute.
Finally, Sysdig particularly pointed out that attackers can easily use PRoot to download many other payloads, so the breached system can see a lot more damage than just the use of XMRig.
Another consequence of the abuse of PRoot is that the platforms allow threat actors to become a lot stealthier and increase their chance of success post-exploitation, which is also something worth noting. In addition to that, pre-configured PRoot filesystems also allow hackers to use toolkits across numerous OS configurations without even needing to port their malware to the architecture that they are targeting.
In other words, those who use PRoot have little regard for the architecture of the target, or distribution, as the tool will smooth over all attack-related struggles that the attackers would have to deal with otherwise.