Open-source Linux utility is being hijacked to hack devices

Petya nagscreen
(Image credit: Wikipedia)

A new report has highlighted how some hackers are not interested in having malware or viruses installed on the target endpoints, but instead work at bringing their entire toolbox to the victim’s device, which would then help them pick and choose the best malicious tool for each individual target. 

Research from Sysdig, which calls the method “Bring Your Own Filesystem”, or BYOF for short, has found that so far, the method works on Linux devices, thanks to a vulnerable utility called PRoot.

According to Sysdig, the threat actors would create an entire malicious filesystem on their own devices, and then have it downloaded and mounted on the compromised endpoint. That way, they get a preconfigured toolkit helping them compromise Linux systems even more.

Installing cryptojackers

"First, threat actors build a malicious filesystem which will be deployed. This malicious filesystem includes everything that the operation needs to succeed," Sysdig said in its report. "Doing this preparation at this early stage allows all of the tools to be downloaded, configured, or installed on the attacker's own system far from the prying eyes of detection tools."

Although so far the software company only observed the method being used to install cryptocurrency miners on these devices, it says the potential for more disruptive and damaging attacks is there. 

PRoot is a utility tool that allows users to create isolated root filesystems on Linux. While the tool is designed to have all the processes running within the guest filesystem, there are ways to mix host and guest programs, which is what the threat actors are abusing. Furthermore, programs running in the guest filesystem can use the built-in mount/bind mechanism to access files and directories from the host system.

Apparently, abusing PRoot to deliver malware is relatively easy, as the tool is statically compiled and doesn’t require additional dependencies. All hackers need to do is download the precombined binary from GitLab and mount it on the target endpoint. 

"Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional setup commands," Sysdig says. "The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute."

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.