Threat actors have recently been utilizing an open-source tool known as PRoot to expand the scope of their attacks across various Linux distributions. The Sysdig Threat Research Team (TRT) uncovered this technique and highlighted the significant dangers it poses.
In a recent advisory published by the company, it was explained that the typical limitations of an attack are often dictated by the different configurations of each Linux distribution. However, PRoot offers threat actors a consistent operational environment across multiple distributions, including Ubuntu, Fedora, and Alpine. This tool also provides emulation capabilities, enabling the execution of malware designed for different architectures, such as ARM.
Referred to as “bring your own filesystem” (BYOF) by Sysdig, this method proves advantageous for threat actors who may lack a comprehensive understanding of the target environment prior to an attack or the resources needed to switch tools during an operation. The attackers construct a malicious file system containing all the necessary components for a successful attack, from download instructions to configuration and installation operations.
By using PRoot, the compatibility issues typically encountered with different architectures or distributions are smoothed out, simplifying the execution of malware or miners. The tool aligns with the concept of ‘write once, run everywhere,’ a goal long sought after by attackers. Additionally, PRoot is statically compiled, eliminating the need for external files or libraries and making it easy to incorporate into an attacker’s toolchain.
The attack process is streamlined with PRoot, as observed by the Sysdig team. Threat actors leveraging this technique only need to execute a few commands to deploy to a victim system and initiate payloads. Sysdig’s investigation focused on the XMRig crypto-miner, commonly utilized in crypto-mining operations. The XMRig binary is stored within the malicious filesystem, eliminating the need for additional setup commands. The attacker simply launches PRoot, directs it to the unpacked malicious filesystem, and specifies the XMRig binary for execution.
To combat these BYOF threats, the Sysdig Threat Research Team has developed rules using Falco that can identify the usage of the PRoot tool. This proactive approach aims to detect and mitigate potential attacks leveraging this technique.
This emergence of PRoot-based attacks follows Check Point Research’s identification of XMRig as the third most widely used malware in the wild in July. As threat actors continue to evolve their tactics, cybersecurity professionals must remain vigilant and adapt their defenses to effectively combat these sophisticated threats.