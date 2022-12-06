A new report reveals how some hackers are not interested in installing malware or viruses on the target endpoints, but instead bring their entire toolbox to the victim’s device, which would then help them pick and choose the best malicious tool for each individual target.

Research from Sysdig, which calls the method “Bring Your Own Filesystem,” or BYOF for short, has found that the method works on Linux devices so far, thanks to a vulnerable utility called PRoot.

According to Sysdig, the threat actors would create an entire malicious file system on their own devices and then have it downloaded and associated with the compromised endpoint. That way, they get a pre-configured toolkit that allows them to compromise Linux systems even more.

Install cryptojackers

“First, attackers build a malicious file system that is deployed. This malicious file system contains everything the operation needs to succeed,” Sysdig said in its report. “By doing this preparation at this early stage, all tools can be downloaded, configured or installed on the attacker’s own system, away from the prying eyes of detection tools.”

While the software company has so far only observed the method used to install cryptocurrency miners on these devices, it says the potential for more disruptive and malicious attacks is there.

PRoot is a utility that allows users to create isolated root filesystems on Linux. Although the tool is designed to run all processes within the guest file system, there are ways to mix host and guest programs, which the threat actors exploit. In addition, programs running in the guest file system can use the built-in mount/bind mechanism to access files and directories from the host system.

Apparently, it is relatively easy to abuse PROot to deliver malware, as the tool is statically compiled and requires no additional dependencies. All hackers need to do is download the precombined binary from GitLab and attach it to the target endpoint.

“Any dependencies or configurations are also included in the file system, so the attacker doesn’t have to run any additional setup commands,” says Sysdig. “The attacker launches PRoot, targets the extracted malicious file system, and specifies the XMRig binary to execute.”

Through: Beeping computer (opens in new tab)