CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Ezuri Memory Loader Abused in Linux Attacks

Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk. 

Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk. 

Executed directly in memory, without leaving traces on disk, fileless malware is commonly used in attacks targeting Windows systems, but isn’t often seen in malware attacks targeting Linux. 

As part of the observed attacks, Ezuri is used to decrypt the malicious payloads and leverage memfd create to execute them, Ofer Caspi and Fernando Martinez of AT&T Alien Labs explain.

Written in Golang, the loader is based on the “Ezuri” code published on GitHub by a user going by the online handler of guitmz. The ELF loader was initially created around March 2019, with the same code posted again in August on a small forum, by a user named ‘TMZ’. 

The tool first requests a path for the payload to be encrypted and a password for the AES encryption (though it can generate one if none is provided). Next, it compiles the loader with the payload encrypted within. The user needs to provide the file to be hidden, as well as a target process name and an AES key for encryption (optional). 

Over the past few months, several malware authors used the Ezuri loader, including TeamTNT, a cybercrime group focused on injecting distributed denial-of-service malware and crypto-miners into victim machines. 

Active since at least April 2020, the group appears to have evolved towards the end of the year, with new crypto-mining malware (named Black-T) designed to install network scanners and retrieve credentials from memory. 

One of the samples used by the group, however, is actually an Ezuri loader, based on code similarities with the original tool, AT&T’s researchers say. 

Advertisement. Scroll to continue reading.

The packer also helps malware authors lower antivirus detection for their payloads, the researchers note. 

Several samples of the distributed denial of service-capable Internet of Things (IoT) bot Gafgyt were also observed using the Ezuri loader and packer. 

Related: Schneider Electric Warns Customers of Drovorub Linux Malware

Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Related: Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.