Ezuri Memory Loader Abused in Linux Attacks
Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk.
Executed directly in memory, without leaving traces on disk, fileless malware is commonly used in attacks targeting Windows systems, but isn’t often seen in malware attacks targeting Linux.
As part of the observed attacks, Ezuri is used to decrypt the malicious payloads and leverage memfd create to execute them, Ofer Caspi and Fernando Martinez of AT&T Alien Labs explain.
Written in Golang, the loader is based on the “Ezuri” code published on GitHub by a user going by the online handler of guitmz. The ELF loader was initially created around March 2019, with the same code posted again in August on a small forum, by a user named ‘TMZ’.
The tool first requests a path for the payload to be encrypted and a password for the AES encryption (though it can generate one if none is provided). Next, it compiles the loader with the payload encrypted within. The user needs to provide the file to be hidden, as well as a target process name and an AES key for encryption (optional).
Over the past few months, several malware authors used the Ezuri loader, including TeamTNT, a cybercrime group focused on injecting distributed denial-of-service malware and crypto-miners into victim machines.
Active since at least April 2020, the group appears to have evolved towards the end of the year, with new crypto-mining malware (named Black-T) designed to install network scanners and retrieve credentials from memory.
One of the samples used by the group, however, is actually an Ezuri loader, based on code similarities with the original tool, AT&T’s researchers say.
The packer also helps malware authors lower antivirus detection for their payloads, the researchers note.
Several samples of the distributed denial of service-capable Internet of Things (IoT) bot Gafgyt were also observed using the Ezuri loader and packer.