Cybercriminals are abusing an open-source tool called PRoot to target Linux devices. Since this tool is compatible with several Linux distributions, this attack method provides attackers with a consistent set of tools to target all supporting Linux flavors.
Why PRoot?
PRoot, a user-specific implementation of some specific set of commands, is statically compiled and doesn't require any dependencies. It easily delivers malicious code by packing it with necessary packages and executables into a filesystem.
Attackers can define different attack paths to install and execute a miner/cryptolocker or set up persistence mechanisms or run other malware.
It is simple to use and removes the efforts for executable compatibility, environment setup, and malware and/or miner execution.
The attack set-up
According to Sysdig researchers, threat actors are using a new tactic called Bring Your Own Filesystem (BYOF) to carry out the attacks.
In this attack tactic, threat actors build a malicious filesystem with all tools, malware, dependencies or configuration files, and other necessary artifacts on their own system.
This malicious filesystem is packaged in a gzip-compressed tar file.
The packages are placed either on the attacker’s local device or on popular storage platforms (such as Google Drive, Dropbox) or any other legitimate sites that are usually reachable from the target’s internal network.
Infiltration stage
Once the threat actors gain access to the targeted systems, they download the malicious filesystem package, along with PRoot.
Hackers unpack the filesystem in a folder and extract and run the PRoot executable pointing at that folder.
The compromised system run commands from the attackers’ filesystem instead of the original host filesystem.
It enables attackers to run payloads without getting detected.
Attack specifics
Researchers found one sample malicious filesystem packaged with masscan, Nmap, XMRig cryptominer, and the related configuration files.
In most cases, the attackers unpacked the filesystem on /tmp/Proot/ path and specified the XMRig binary to execute.
Conclusion
Threat actors are increasingly abusing open-source tools in cyberattacks. Attackers leverage PRoot by simply downloading the precompiled binary from GitLab and executing it in BYOF attacks. Although the threat actors have mostly used cryptominers in the ongoing campaign, researchers predict that they could leverage PRoot to distribute other payloads in the future.