Skip to main content

Ezuri Loader

Created in 2018, Ezuri is a payload encryption and loading tool available on Github. Despite its author claiming it is only used for penetration testing, it has been used in several crypto mining and DDoS campaigns as a first-stage implant to avoid detection.

Threat ID:
CC-3723
Category:
Loader
Threat Severity:
Medium
Published:
14 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Created in 2018, Ezuri is a payload encryption and loading tool available on Github. Despite its author claiming it is only used for penetration testing, it has been used in several crypto mining and DDoS campaigns as a first-stage implant to avoid detection.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Versions: most major distributions

Linux

Threat details

Introduction

Created in 2018, Ezuri is a Go-based combined crypter and loader able to execute payloads discretely in both Windows and Linux environments.

Whilst Ezuri's author apparently intends for the tool to be used for legitimate purposes, a number of ongoing malware campaigns have been observed using the loader as a first stage. Most notably, the TeamTNT advanced persistent threat group are using it in an ongoing crypto mining campaign.

Delivery

As Ezuri is used as a first-stage in larger campaigns, it is delivered in any manner campaign operators wish.

Activities

When creating payloads for delivery, Ezuri asks for both an intended file path as well as an AES key to encrypt the payload within itself. If no key is provided it will generate one itself.

Upon delivery, Ezuri will - either immediately or after an operator-defined period of time - decrypt it's internal payload before loading the binary directly into memory using process-hollowing.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

SHA256 hashes

  • 0a569366eeec52380b4462b455cacc9a788c2a7883b0a9965d20f0422dfc44df
  • 35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18
  • 751014e0154d219dea8c2e999714c32fd98f817782588cd7af355d2488eb1c80
  • b494ca3b7bae2ab9a5197b81e928baae5b8eac77dfdc7fe1223fee8f27024772
  • ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f
  • e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3
  • e1836676700121695569b220874886723abff36bbf78a0ec41cce73f72c52085

Definitive source of threat updates

Last edited: 14 January 2021 3:19 pm