Sysdig found that hackers use the Open-Source Linux Proot utility in the attacks of BYOF (Bryof -ataka, Bring your Own Filesystem) to provide an agreed repository of harmful tools that work in many distributions of Linux.
Proot is an open source utility that allows the user to configure an isolated root file system in Linux. In detected attacks, the hacker uses the Proot to deploy a malicious file system on already compromised systems that include network scanning tools – “Masscan” and “NMAP”, XMRIG cryptoominer and their configuration files.
The file system contains everything necessary for an attack neatly packed in a compressed GZIP TAR file with all the necessary dependencies, loaded from trusted cloud hosting services such as Dropbox.
harmful guest file system
Since Proot is compiled statically and does not require any addictions, the attacker simply uploads a pre -compiled binary file from Gitlab and mounts it in a loaded and extracted file system. In most cases, cybercriminals unpacked the file system in “/TMP/Proot/”, and then activated the XMRIG crypto -chamber.
According to researchers, the hacker can use Proot to load other beneficial loads besides XMRIG, which can potentially cause more serious damage to the hacked system. The presence of “Masscan” in the malware file system indicates that hackers plan to hack other systems on a hacked machine.
The use of the Proot utility makes these attacks independent of the platform and distribution, which makes them more effective and invisible. In addition, the pre -tuned Proot file system allows the cybercriminator to use a set of tools in many OS configurations without the need to transfer their malware to target architecture or include dependencies and assembly tools.
Apatians using Proot allows the attacker not to think about the architecture or distribution of the goal, since this tool eliminates problems with the compatibility of executable files, setting up the environment and the implementation of malicious programs. Such attacks remove the need to configure the environment, and allow the hacker to quickly scale their harmful campaigns.