430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Ezuri memory loader used in Linux and Windows malware

Multiple threat actors have recently started using the Ezuri memory loader as a loader to executes malware directly into the victims’ memory. According to researchers from AT&T’s Alien Labs, malware authors are choosing the Ezuri memory loader for their malicious codes. The Ezuri memory loader tool allows to load and execute a payload directly into […]

Ezuri

Multiple threat actors have recently started using the Ezuri memory loader as a loader to executes malware directly into the victims’ memory.

According to researchers from AT&T’s Alien Labs, malware authors are choosing the Ezuri memory loader for their malicious codes.

The Ezuri memory loader tool allows to load and execute a payload directly into the memory of the infected machine, without writing any file to disk.

Experts pointed out that while this technique common in Windows malware, it is rare in Linux attacks.

“The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in ‘/proc/PID/fd/’ which is visible only in the filesystem.” reads the post published by AT&T’s Alien Labs.

The loader observed by the researchers in the attacks is written in Golang and borrows the Ezuri code published on GitHub by the user guitmz in March 2019. The user describes its project as a simple Linux ELF Runtime crypter, he wrote the code to demonstrate how to execute the ELF binary files from memory with memfd_create syscall.

The guitmz user also tested its code against VirusTotal to prove that it is able to avoid detection, in particular, he demonstrated that was able to obtain zero rate detection for a known Linux.Cephei sample once it was injected using the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).

Upon executing the code, it will ask the user the path for the payload to be encrypted and the password to be used for AES encryption to hide the malware within the loader. In case, the password is not provided, the tool generates one. Then the packer compiles the loader with the payload encrypted within it, so it can be decrypted and executed in memory once it is delivered in the targeted system.

Ezuri

In August, the user ‘TMZ,’ likely associated with ‘guitmz,’ posted the same code on a forum where members shared malware.

Researchers from AT&T Alien Labs have identified several malware authors leveraging the Ezuri loader in the last few months, one of them is a threat actor tracked as TeamTNT that has been active since at least since 2020,

The TeamTNT botnet is a crypto-mining malware operation that has been active since April and that targets Docker installs, it is the first cryptomining bot that steals AWS credentials

Experts noticed that the group also used the Ezuri loader that is similar to the original one. 

“In October 2020, Palo Alto Networks Unit42 identified new variants of the cryptomining malware used by TeamTNT named “Black-T.” This sample first installs three network scanners, and then inspects memory in an attempt to retrieve any type of credentials located in the memory. Additionally, Unit42 identified several German-language strings in some of the TNT scripts.” continues the report.

“The last sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader. The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020 (e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3).”

In conclusion, the use of this packer is popular for vxers, such as the technique described to load the ELF binaries into memory. Ezuri allows malware authors to improve their operations, increasing the evasion capabilities of known payloads.

“Several malware authors have been using an open source Golang tool to act as a malware loader, using a known technique to load the ELF binaries into memory and avoid using easy-to-detect files on disk.” concludes the report. “The authors use the open source tool Ezuri, to load its previously seen payloads and avoid antivirus detections on the file.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Golang)

[adrotate banner=”5″]

[adrotate banner=”13″]