AT&T Alien Labs has reported that TeamTNT (a group that specializes in attacking the cloud and misconfigured Docker instances) is using a new downloader (based on the Ezuri crypter) to decrypt, install, and execute a malware payload from memory, without writing to the disk. This downloader is based on Golang and serves as both crypter and loader for ELF (Executive and Linkable Format) binaries. The Ezuri crypter was created in 2019 and posted to GitHub for anyone to use.

When used, Ezuri asks for a payload path to be encrypted and for a password. If no password is given, one will be automatically generated. The malware is then hidden within the loader and, after the user's input, the packer compiles the loader with the encrypted payload which can then be decrypted and executed within memory (once it's on a victim's system). After the AES-encrypted payload is decrypted, Ezuri passes the resulting code to the runFromMemory function as an argument (without dropping the malicious payload on the infected system—hence the fileless nature of the malware).

Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs, said of Linux being the target, “TeamTNT is more cloud-focused than Linux, but they overlap well in this case. The group tends to target cloud-standard resources and operating systems, such as docker and *nix.”

To find out more on how Ezuri is used, read Malware using new Ezuri memory loader from AT&T Labs.