Ezuri Memory Loader Abused in Linux Attacks

guest · Jan 8, 2021

Ezuri Memory Loader Abused in Linux Attacks
Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk
January 7, 2021
https://www.securityweek.com/ezuri-memory-loader-abused-linux-attacks

Executed directly in memory, without leaving traces on disk, fileless malware is commonly used in attacks targeting Windows systems, but isn’t often seen in malware attacks targeting Linux.

As part of the observed attacks, Ezuri is used to decrypt the malicious payloads and leverage memfd create to execute them, Ofer Caspi and Fernando Martinez of AT&T Alien Labs explain.
Written in Golang, the loader is based on the "Ezuri" code published on GitHub by a user going by the online handler of guitmz. The ELF loader was initially created around March 2019, with the same code posted again in August on a small forum, by a user named ‘TMZ’.
Click to expand...

Over the past few months, several malware authors used the Ezuri loader, including TeamTNT, a cybercrime group focused on injecting distributed denial-of-service malware and crypto-miners into victim machines.

The packer also helps malware authors lower antivirus detection for their payloads, the researchers note.
Click to expand...

AT&T Alien Labs: Malware using new Ezuri memory loader

Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
Click to expand...

Log in or Sign up

Ezuri Memory Loader Abused in Linux Attacks

guest Guest

Log in or Sign up

Ezuri Memory Loader Abused in Linux Attacks

guest Guest

Useful Searches