Attackers Use PRoot to Expand Scope of Linux Attacks


Sysdig describes malicious use of the PRoot utility.

The Sysdig Threat Research Team recently reported attackers “leveraging an open source tool called PRoot to expand the scope of their operations to multiple Linux distributions.”

Typically, the researchers note, attacks are “limited by the varying configurations of each Linux distribution.” Using PRoot, however, “there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution," Sysdig says.

Bill Toulas at Bleeping Computer explains it this way: “Hackers are abusing the open source Linux PRoot utility in Bring Your Own Filesystem (BYOF) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. A BYOF attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks.”

A runtime detection layer, such as Falco, can help observe this type of threat and reduce your risk of exploitation, Sysdig says.


Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=