• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Malware

How Cybercriminals Use Custom File Systems to Evade Detection

Custom filesystems is a powerful tool to evade detection, allowing attackers to operate undetected and wreak havoc on unsuspecting victims.

Gwendal SmithbyGwendal Smith
February 1, 2023
in Articles, Cybercrime, Malware
0
How Cybercriminals Use Custom File Systems to Evade Detection

Bring Your Own Filesystem (BYOF) attacks are a relatively new tactic in cybercrime operation, used to evade detection by security software. In these types of attacks, the attacker brings their own custom filesystem to the victim’s machine, which is then used to launch malware or other malicious payloads. This allows the attacker to bypass traditional security measures that are designed to detect and block known malware.

In this article, we will take a closer look at some real-world examples of BYOF attacks, including the ProjectSauron cyber espionage campaign, the Animal Farm malware group, and a recent cruptominer attack. These examples demonstrate the growing sophistication of attackers and the challenges that security professionals face in trying to detect and block these types of attacks.

What are BYOF attacks?

BYOF (Bring Your Own Filesystem) attacks are a relatively new tactic used by cybercriminals to evade detection by security software. But we can find precedent in sophisticated APT campaign. This is a weak signals that cybersecurity professional must look after, as APT mechanisms can be cybercrime booster by giving them a significant edge against detection and protection mechanisms.

Traditional malware relies on the host operating system’s file system to carry out its malicious activities. However, BYOF attacks circumvent this by creating a custom file system that is separate from the host operating system’s file system. This allows attackers to hide their malicious activities and evade detection by security software that is designed to detect malware on the host operating system’s file system.

To create a custom file system, attackers use tools such as PRoot and QEMU to set up an isolated root file system within the host operating system. This allows them to package all the necessary dependencies, including malware and configuration files, within the custom file system. The custom file system can then be mounted on the host operating system and the malware can be executed without being detected by security software.

Real-world examples of BYOF attacks

Cybersecurity and Threat Intelligence litterature can give us a view of real-word implementation of custom filesystems by malware authors and cyberattacks operators.

Animal Farm and the Dino Malware

Animal Farm is a cyber espionage group that has been active since at least 2011. It is also known as “Snowglobe” in the Snowden’s files and it is known for its advanced malware capabilities. It has been observed to target a wide range of victims, including government organizations and private companies in several countries. The group has been known to use custom malware, including a malware called “Dino’s” which has a custom file system called ramFS to evade detection. It is believed that the group is likely to be state-sponsored.

One of the malware used by this group, called Dino, uses a custom file system called ramFS. This type of file system is present in several droppers used by Animal Farm, allowing the malware to evade detection.

The ProjectSauron advanced Platform

ProjectSauron is a cyber espionage campaign that was uncovered in 2016 by Kaspersky Lab. It is a highly advanced and sophisticated malware platform that is believed to have been used by a nation-state actor for targeted attacks against government organizations and other high-value targets. The attackers used a variety of tactics to compromise victims’ systems, including the use of removable USB devices to move data from air-gapped networks to Internet-connected systems. The malware was able to evade detection by using a custom file system called VFS and by disguising itself as legitimate software. The full extent of the damage caused by ProjectSauron is not known, but it is believed to have been active for at least five years before being discovered.

This cyber espionage campaign used a custom file system, known as a Virtual File System (VFS), to extract encrypted government communications. The attackers used removable USB devices to move data from air-gapped networks to internet-connected systems. Once the networked systems were compromised, the attackers waited for a USB drive to be attached to the infected machine. These USBs were specially formatted to reduce the size of the partition on the disk, reserving an amount of hidden data at the end of the disk for malicious purposes. This reserved space was used to create a new custom-encrypted partition that wouldn’t be recognized by common operating systems such as Windows.

The PRoot cryptomining operation

The PRoot is a Linux utility that allows users to run programs in a chroot-like environment without modifying the host system. This can be useful for running software that is not compatible with the host’s architecture or distribution. PRoot can also be used to create lightweight virtual environments for running applications, similar to containerization. It can also be used for software development and testing, for example, to test software in different linux distributions.

Sysdig, a cybersecurity company, has reported on the use of a utility called PRoot by attackers. The Sysdig report describes a cryptominer operation that uses the xmrig script to mine Monero cryptocurrency on compromised systems. The attackers used the PRoot utility to deploy the malicious filesystem on already compromised systems and package it with the xmrig malware. This method allows the attackers to bypass traditional security measures, making the operation particularly difficult to detect and defend against. The use of PRoot also allows the attackers to scale up their operation quickly, increasing their chances of success, as it allows the cybercriminals to use a toolkit across many OS configurations without having to port their malware to the targeted architecture or include dependencies and build tools.

Using PRoot, the attackers have little regard or concern for the target’s architecture or distribution, since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution.

Conclusion

Bring Your Own Filesystem (BYOF) attacks makes slowly its way to cybercriminal tactics. These attacks use custom file systems to evade detection, making them particularly difficult to detect and defend against.

Previously mainly witnessed in advanced cyber operation conducted by nation states, such as ProjectSauron cyber espionage campaign or the Animal Farm malware, the detection evasion tactic as been spotted as a PRoot utility in cryptominer attacks. This is a weak signals that as to be tracked to see if cybercriminal will embrace it as a new way to make there operation more persistent and scalable.

Tags: Animal FarmAPTBYOFCryptojackingCryptominerDefense evasionFilesystemProjectSauronramFSSnowglobeVFS

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}