Security News > 2022 > December > Hackers hijack Linux devices using PRoot isolated filesystems
Hackers are abusing the open-source Linux PRoot utility in BYOF attacks to provide a consistent repository of malicious tools that work on many Linux distributions.
A Bring Your Own Filesystem attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks.
PRoot is an open-source utility that combines the 'chroot', 'mount -bind', and 'binfmt misc' commands, allowing users to set up an isolated root filesystem within Linux.
The attacks seen by Sysdig use PRoot to deploy a malicious filesystem on already compromised systems that include network scanning tools like "Masscan" and "Nmap," the XMRig cryptominer, and their configuration files.
The abuse of PRoot by hackers makes these post-exploitation attacks platform and distribution-agnostic, increasing the chances of success and the threat actors' stealthiness.
Pre-configured PRoot filesystems allow attackers to use a toolkit across many OS configurations without having to port their malware to the targeted architecture or include dependencies and build tools.