Threat actors have recently been utilizing an open-source tool known as PRoot to expand the reach of their operations across various Linux distributions. The Sysdig Threat Research Team (TRT) uncovered this technique and highlighted the significant risks associated with it.
In a recent advisory released by Sysdig, the company explained how PRoot allows attackers to maintain a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. This tool also offers emulation capabilities, enabling threat actors to run malware built on different architectures, like ARM (advanced RISC machine).
Described as a “bring your own filesystem” (BYOF) attack by Sysdig, this method proves advantageous for threat actors who may lack a comprehensive understanding of a target environment or the resources needed to switch tools mid-operation. With PRoot, attackers can create a malicious file system containing all the necessary components for a successful attack, including download instructions, configuration details, and installation procedures.
The use of PRoot streamlines the attack process by eliminating concerns about target architecture or distribution compatibility. This tool simplifies executable compatibility, environment setup, and malware execution, moving closer to the goal of “write once, run everywhere.”
In addition, PRoot is statically compiled, eliminating the need for external files or libraries. This simplicity makes it a popular choice for attackers, who can easily incorporate it into their toolchain. The executable can even be packed with obfuscation tools like UPX to avoid detection.
Sysdig noted that threat actors deploying this technique only need to execute a few commands to infiltrate a victim system and launch payloads. The cybersecurity experts at Sysdig investigated the use of the XMRig crypto-miner in these attacks, where the miner is stored in the malicious filesystem and launched effortlessly without additional setup commands.
To combat BYOF threats, the Sysdig Threat Research Team has developed detection rules using Falco, which can identify the usage of the PRoot tool. This proactive approach aims to mitigate the risks posed by this new attack method.
This emerging threat comes on the heels of Check Point Research (CPR) identifying XMRig as the third-most prevalent malware in the wild in July. As threat actors continue to evolve their tactics, organizations must stay vigilant and implement robust security measures to protect against sophisticated attacks like those leveraging PRoot.