Threat actors have been observed using an open-source tool called PRoot to increase the scope of their operations to several Linux distributions. The Sysdig Threat Research Team (TRT) has discovered the technique and explained earlier this week why it is particularly dangerous.
“Typically, the scope of an attack is limited by the varying configurations of each Linux distribution,” the company wrote in an advisory published on Monday.
“Enter PRoot, an open-source tool that provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities, which allow for malware built on other architectures, such as ARM [advanced RISC machine], to be run.”
Sysdig refers to this type of attack as "bring your own filesystem" (BYOF) and said it is beneficial for threat actors when they may not have a complete understanding of an environment before an attack or the resources necessary to change tools mid-operation.
Describing the method, the Sysdig team said threat actors typically build a malicious file system that includes everything the attack needs to succeed, including instructions for download, configuration and installation operations.
“Using PRoot, there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution,” the advisory reads.
“It allows attackers to get closer to the philosophy of ‘write once, run everywhere,’ which is a long sought-after goal.”
Furthermore, since PRoot is statically compiled, it does not require additional external files or libraries.
“This makes it very simple for an attacker to use in their toolchain. The executable could be potentially packed with UPX [ultimate packer for executables] or other obfuscating tools to evade detection," the company said.
According to Sysdig, the attack path is also simplified. In its assessment, the team observed that threat actors using this technique only need to complete a few commands to deploy to a victim system and subsequently run payloads.
As for the type of attacks observed by the cybersecurity experts, Sysdig investigated the XMRig crypto-miner.
“In these crypto-mining operations, XMRig is stored in the malicious filesystem and can be launched easily,” reads the advisory.
“Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional setup commands. The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute.”
To counter these BYOF threats, the Sysdig Threat Research Team has created rules (available in the advisory) that can detect the usage of the PRoot tool using Falco.
The new threat comes months after Check Point Research (CPR) named XMRig as the third-most widely used malware in the wild in July.