Threat actors observed using this technique have been able to utilize free file sharing services like Google Drive, Dropbox, or OneDrive to host their compressed filesystem containing their malware, making them readily accessible from victim devices. Organizations should be sure to monitor for connections to these file sharing services, especially ones that are not commonly used for an organization’s business processes.
Organizations may also find it useful to monitor for the execution of the PRoot tool, executed on the command line simply as ‘./proot’. The researchers at Sysdig noted that, in the attacks that they observed, the malicious filesystems were mounted to “/tmp/PRoot”, though it could potentially be mounted in a large number of places. The usage of wget or curl followed by a URL containing the string “proot” should be a red flag for this type of attack.
06
Dec
