Researchers at Sysdig have uncovered a novel technique being used by threat actors to simplify attacks and increase the successful repeated use of malicious tooling across various Linux platforms. PRoot, a legitimate open-source Linux utility, is described by its creator as “…a user-space implementation of chroot, mount –bind, and binfmt_misc. This means that users don’t need any privileges or setup to do things like using an arbitrary directory as the new root filesystem, making files accessible somewhere else in the filesystem hierarchy, or executing programs built for another CPU architecture transparently through QEMU user-mode.”

In concert with PRoot, a threat actor is able to create their own custom file system containing their malicious payloads and toolkits that can be delivered to victim devices and mounted using PRoot. Deploying malware in this way benefits the threat actor by greatly increasing the compatibility of the malware across different types of Linux operating systems by providing a consistent operational environment, or by using Quick Emulation (QEMU) to bridge incompatible CPU architectures. For example, a piece of malware could be written for ARM architecture, but still be used on an x86 based system. Because of the increased compatibility provided to malware in this way, threat actors can scale operations quickly and efficiently without being slowed down by the many potential differences between Linux systems that could cause their malware to fail.

Sysdig states that the most common usage of this technique that they have observed, is to deliver and run the popular cryptocurrency miner XMRig, and in some cases reconnaissance tools like masscan or nmap. However, this technique could also be used to deploy a practically limitless number of malicious programs with ease.