Multiple malware authors are using the “Ezuri” crypter and memory loader to make their code undetectable to antivirus products.
Source code for Ezuri, written in Golang, is available on GitHub for anyone to use.
Ezuri decrypts malware payload within memory
According to a report released by AT&T Alien Labs, multiple threat actors are using Ezuri crypter to pack their malware and evade antivirus detection.
Although Windows malware have been known to deploy similar tactics, threat actors are now using Ezuri for infiltrating Linux environments as well.
Written in Go, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Using AES, it encrypts the malware code and, on decryption, executes the malicious payload directly within memory without generating any files on the disk.
“Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared,” state researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs.
The crypter remains open to experimentation by security professionals, pen-testers, and adversaries.
The researchers noted after decrypting the AES-encrypted payload, Ezuri immediately passes the resulting code to the runFromMemory function as an argument without dropping malware files anywhere on the infected system.
Near-zero detection rate on VirusTotal
Malware samples which were typically detected by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encrypted with Ezuri, at the time of AT&T’s research.
Even today, as observed by BleepingComputer, the Ezuri-packed sample has less than a 5% detection rate on VirusTotal.
Actively used by multiple threat actors
During the last few months, Caspi and Martinez identified several malware authors that pack their samples with Ezuri.
TeamTnT is known to attack misconfigured Docker instances and exposed APIs to turn vulnerable systems into DDoS bots and cryptominers.
Later variants of TeamTnT’s malware, such as “Black-T” that install network scanners on infected systems and extract AWS credentials from memory were also found to be laced with Ezuri.
According to the AT&T researchers, “the last [Black-T] sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader.”
“The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020.”
The researchers also noticed the presence of the ‘ezuri’ string in multiple Ezuri-packed binaries.
Ezuri’s Indicators of Compromise (IOCs), YARA detection rules, and more information can be found in the blog post published by AT&T Alien Labs.