The Sysdig Threat Research Team recently reported attackers “leveraging an open source tool called PRoot to expand the scope of their operations to multiple Linux distributions.”

Typically, the researchers note, attacks are “limited by the varying configurations of each Linux distribution.” Using PRoot, however, “there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution," Sysdig says.

Bill Toulas at Bleeping Computer explains it this way: “Hackers are abusing the open source Linux PRoot utility in Bring Your Own Filesystem (BYOF) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. A BYOF attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks.”

A runtime detection layer, such as Falco, can help observe this type of threat and reduce your risk of exploitation, Sysdig says.