cybersecurity evil

Multiple malware authors are using the “Ezuri” crypter and memory loader to make their code undetectable to antivirus products.

Source code for Ezuri, written in Golang, is available on GitHub for anyone to use.

Ezuri decrypts malware payload within memory

According to a report released by AT&T Alien Labs, multiple threat actors are using Ezuri crypter to pack their malware and evade antivirus detection.

Although Windows malware have been known to deploy similar tactics, threat actors are now using Ezuri for infiltrating Linux environments as well.

Written in Go, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Using AES, it encrypts the malware code and, on decryption, executes the malicious payload directly within memory without generating any files on the disk.

Ezuri decrypts malicious code within memory without generating any file on disk
Source: AT&T Alien Labs

Systems engineer and Ezuri’s creator, Guilherme Thomazi Bonicontro (‘guitmz’), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog post.

“Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared,” state researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs.

The crypter remains open to experimentation by security professionals, pen-testers, and adversaries.

The researchers noted after decrypting the AES-encrypted payload, Ezuri immediately passes the resulting code to the runFromMemory function as an argument without dropping malware files anywhere on the infected system.

runfrommemory function of ezuri
Ezuri’s runFromMemory function
Source: AT&T Alien Labs

Near-zero detection rate on VirusTotal

Malware samples which were typically detected by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encrypted with Ezuri, at the time of AT&T’s research.

Even today, as observed by BleepingComputer, the Ezuri-packed sample has less than a 5% detection rate on VirusTotal.

Ezuri virustotal
Ezuri-packed malware sample with near-zero detections on VirusTotal
Image source: BleepingComputer

Actively used by multiple threat actors

During the last few months, Caspi and Martinez identified several malware authors that pack their samples with Ezuri.

These include the cybercrime group, TeamTnT, active since at least April 2020.

TeamTnT is known to attack misconfigured Docker instances and exposed APIs to turn vulnerable systems into DDoS bots and cryptominers.

Later variants of TeamTnT’s malware, such as “Black-T” that install network scanners on infected systems and extract AWS credentials from memory were also found to be laced with Ezuri.

According to the AT&T researchers, “the last [Black-T] sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader.”

“The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020.”

The researchers also noticed the presence of the ‘ezuri’ string in multiple Ezuri-packed binaries.

Ezuri’s Indicators of Compromise (IOCs), YARA detection rules, and more information can be found in the blog post published by AT&T Alien Labs.