Discovered new BYOF technique to cryptomining with PRoot

Researchers from the Sysdig Threat Research Team have discovered that threat actors are using PRoot, an open-source tool, to expand their cryptomining operations across multiple Linux distributions without needing to alter their tools for different environments. PRoot provides a consistent operational environment and emulation capabilities, allowing attackers to run malware on different architectures and bypass typical compatibility issues. This technique, known as "bring your own filesystem" (BYOF), involves creating a malicious filesystem packed with necessary tools, which is then deployed on the target system using PRoot. This method simplifies the attack process, enabling threat actors to conduct operations with minimal commands and evade detection more effectively. Cryptominers, particularly XMRig, are commonly used in these attacks as they provide a source of income for attackers. However, PRoot's usage can be detected with tools like Falco, which can identify the execution of PRoot through specific system calls, helping organizations to mitigate the risk of exploitation and reduce the costs associated with cryptomining.