Jump to content

Linux malware authors use Ezuri Golang crypter for zero detection


Recommended Posts

Linux malware authors use Ezuri Golang crypter for zero detection




Multiple malware authors are using the "Ezuri" crypter and memory loader to make their code undetectable to antivirus products.


Source code for Ezuri, written in Golang, is available on GitHub for anyone to use.

Ezuri decrypts malware payload within memory

According to a report released by AT&T Alien Labs, multiple threat actors are using Ezuri crypter to pack their malware and evade antivirus detection.


Although Windows malware have been known to deploy similar tactics, threat actors are now using Ezuri for infiltrating Linux environments as well.


Written in Go, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Using AES, it encrypts the malware code and, on decryption, executes the malicious payload directly within memory without generating any files on the disk.



Ezuri decrypts malicious code within memory without generating any file on disk
Source: AT&T Alien Labs


Systems engineer and Ezuri's creator, Guilherme Thomazi Bonicontro ('guitmz'), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog post.

"Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared," state researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs.

The crypter remains open to experimentation by security professionals, pen-testers, and adversaries.


The researchers noted after decrypting the AES-encrypted payload, Ezuri immediately passes the resulting code to the runFromMemory function as an argument without dropping malware files anywhere on the infected system.



Near-zero detection rate on VirusTotal

Malware samples which were typically detected by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encrypted with Ezuri, at the time of AT&T's research.


Even today, as observed by BleepingComputer, the Ezuri-packed sample has less than a 5% detection rate on VirusTotal.




Actively used by multiple threat actors

During the last few months, Caspi and Martinez identified several malware authors that pack their samples with Ezuri.


These include the cybercrime group, TeamTnT, active since at least April 2020.


TeamTnT is known to attack misconfigured Docker instances and exposed APIs to turn vulnerable systems into DDoS bots and cryptominers.


Later variants of TeamTnT's malware, such as "Black-T" that install network scanners on infected systems and extract AWS credentials from memory were also found to be laced with Ezuri.


According to the AT&T researchers, "the last [Black-T] sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader."

"The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020."

The researchers also noticed the presence of the 'ezuri' string in multiple Ezuri-packed binaries.


Ezuri's Indicators of Compromise (IOCs), YARA detection rules, and more information can be found in the blog post published by AT&T Alien Labs.



Source: Linux malware authors use Ezuri Golang crypter for zero detection

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...