Bring Your Own Filesystem (BYOF) attacks are a relatively new tactic in cybercrime operation, used to evade detection by security software. In these types of attacks, the attacker brings their own custom filesystem to the victim’s machine, which is then used to launch malware or other malicious payloads. This allows the attacker to bypass traditional security measures that are designed to detect and block known malware.
In this article, we will take a closer look at some real-world examples of BYOF attacks, including the ProjectSauron cyber espionage campaign, the Animal Farm malware group, and a recent cruptominer attack. These examples demonstrate the growing sophistication of attackers and the challenges that security professionals face in trying to detect and block these types of attacks.
What are BYOF attacks?
BYOF (Bring Your Own Filesystem) attacks are a relatively new tactic used by cybercriminals to evade detection by security software. But we can find precedent in sophisticated APT campaign. This is a weak signals that cybersecurity professional must look after, as APT mechanisms can be cybercrime booster by giving them a significant edge against detection and protection mechanisms.
Traditional malware relies on the host operating system’s file system to carry out its malicious activities. However, BYOF attacks circumvent this by creating a custom file system that is separate from the host operating system’s file system. This allows attackers to hide their malicious activities and evade detection by security software that is designed to detect malware on the host operating system’s file system.
To create a custom file system, attackers use tools such as PRoot and QEMU to set up an isolated root file system within the host operating system. This allows them to package all the necessary dependencies, including malware and configuration files, within the custom file system. The custom file system can then be mounted on the host operating system and the malware can be executed without being detected by security software.
Real-world examples of BYOF attacks
Cybersecurity and Threat Intelligence litterature can give us a view of real-word implementation of custom filesystems by malware authors and cyberattacks operators.
Animal Farm and the Dino Malware
Animal Farm is a cyber espionage group that has been active since at least 2011. It is also known as “Snowglobe” in the Snowden’s files and it is known for its advanced malware capabilities. It has been observed to target a wide range of victims, including government organizations and private companies in several countries. The group has been known to use custom malware, including a malware called “Dino’s” which has a custom file system called ramFS to evade detection. It is believed that the group is likely to be state-sponsored.
One of the malware used by this group, called Dino, uses a custom file system called ramFS. This type of file system is present in several droppers used by Animal Farm, allowing the malware to evade detection.
The ProjectSauron advanced Platform
ProjectSauron is a cyber espionage campaign that was uncovered in 2016 by Kaspersky Lab. It is a highly advanced and sophisticated malware platform that is believed to have been used by a nation-state actor for targeted attacks against government organizations and other high-value targets. The attackers used a variety of tactics to compromise victims’ systems, including the use of removable USB devices to move data from air-gapped networks to Internet-connected systems. The malware was able to evade detection by using a custom file system called VFS and by disguising itself as legitimate software. The full extent of the damage caused by ProjectSauron is not known, but it is believed to have been active for at least five years before being discovered.
This cyber espionage campaign used a custom file system, known as a Virtual File System (VFS), to extract encrypted government communications. The attackers used removable USB devices to move data from air-gapped networks to internet-connected systems. Once the networked systems were compromised, the attackers waited for a USB drive to be attached to the infected machine. These USBs were specially formatted to reduce the size of the partition on the disk, reserving an amount of hidden data at the end of the disk for malicious purposes. This reserved space was used to create a new custom-encrypted partition that wouldn’t be recognized by common operating systems such as Windows.
The PRoot cryptomining operation
The PRoot is a Linux utility that allows users to run programs in a chroot-like environment without modifying the host system. This can be useful for running software that is not compatible with the host’s architecture or distribution. PRoot can also be used to create lightweight virtual environments for running applications, similar to containerization. It can also be used for software development and testing, for example, to test software in different linux distributions.
Sysdig, a cybersecurity company, has reported on the use of a utility called PRoot by attackers. The Sysdig report describes a cryptominer operation that uses the xmrig script to mine Monero cryptocurrency on compromised systems. The attackers used the PRoot utility to deploy the malicious filesystem on already compromised systems and package it with the xmrig malware. This method allows the attackers to bypass traditional security measures, making the operation particularly difficult to detect and defend against. The use of PRoot also allows the attackers to scale up their operation quickly, increasing their chances of success, as it allows the cybercriminals to use a toolkit across many OS configurations without having to port their malware to the targeted architecture or include dependencies and build tools.
Using PRoot, the attackers have little regard or concern for the target’s architecture or distribution, since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution.
Conclusion
Bring Your Own Filesystem (BYOF) attacks makes slowly its way to cybercriminal tactics. These attacks use custom file systems to evade detection, making them particularly difficult to detect and defend against.
Previously mainly witnessed in advanced cyber operation conducted by nation states, such as ProjectSauron cyber espionage campaign or the Animal Farm malware, the detection evasion tactic as been spotted as a PRoot utility in cryptominer attacks. This is a weak signals that as to be tracked to see if cybercriminal will embrace it as a new way to make there operation more persistent and scalable.
