"Hackers Hijack Linux Devices Using PRoot Isolated File Systems"

In Bring Your Own File System (BYOF) attacks, hackers are abusing the open-source Linux PRoot utility to provide a consistent repository of malicious tools that work across multiple Linux distributions. A BYOF attack occurs when threat actors create a malicious file system on their devices containing a standard set of attack tools. This file system is then downloaded and mounted on infected machines, resulting in a preconfigured toolkit that can be used to further compromise a Linux system. According to Sysdig, the attacks typically result in cryptocurrency mining, though more dangerous scenarios are possible. The researchers also warn about how simple it could be to scale malicious operations against Linux endpoints of all kinds using this novel technique. PRoot is an open-source utility that combines the commands 'chroot,' 'mount —bind,' and 'binfmt misc' to allow users to create an isolated root file system within Linux. PRoot processes are normally restricted to the guest file system. However, QEMU emulation can be used to mix host and guest program execution. Furthermore, programs running within the guest file system can use the host system's built-in mount/bind mechanism to access files and directories. Sysdig discovered attacks that use PRoot to install a malicious file system on already compromised systems that have network scanning tools, the XMRig cryptocurrency miner, and their configuration files. This article continues to discuss the abuse of PRoot in BYOF attacks on Linux devices.

Bleeping Computer reports "Hackers Hijack Linux Devices Using PRoot Isolated File Systems"