Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Linux Malware Authors Use Ezuri Golang Crypter For Zero Detection

Linux Malware Authors Use Ezuri Golang Crypter For Zero Detection

Multiple malware authors are using the “Ezuri” crypter and memory loader to make their code undetectable to antivirus products.

Source code for Ezuri, written in Golang, is available on GitHub for anyone to use.

Ezuri decrypts malware payload within memory

According to a report released by AT&T Alien Labs, multiple threat actors are using Ezuri crypter to pack their malware and evade antivirus detection.

Although Windows malware have been known to deploy similar tactics, threat actors are now using Ezuri for infiltrating Linux environments as well.

Written in Go, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Using AES, it encrypts the malware code and, on decryption, executes the malicious payload directly within memory without generating any files on the disk.

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

Ezuri decrypts malicious code within memory without generating any file on disk
Source: AT&T Alien Labs

Systems engineer and Ezuri’s creator, Guilherme Thomazi Bonicontro (‘guitmz’), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog post.

In an email interview, Bonicontro aka TMZ shared with BleepingComputer that he is a malware researcher and creates research tools for spreading awareness and helping defenders.

“I’m an independant malware researcher, I do this as one of my hobbies only. The goal of my work is simply to learn and bring awareness on diverse PoC attack and defense techniques, but never cause any damage. As a rule of thumb, I always share samples of my projects with antivirus companies and I never release code with destructive payload or anything with sophisticated replication capabilities. I believe knowledge should be accessible to everyone and each individual should be responsible for their own actions to sleep well at night.”

“Unfortunately, if anything, this reinforces the fact that the security industry needs to invest more on Linux threat detection and that threat actors are more active than ever,” Bonicontro told BleepingComputer.

Researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs noted after decrypting the AES-encrypted payload, Ezuri immediately passes the resulting code to the runFromMemory function as an argument without dropping malware files anywhere on the infected system.

Ezuri’s runFromMemory function
Source: AT&T Alien Labs

Near-zero detection rate on VirusTotal

Malware samples which were typically detected by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encrypted with Ezuri, at the time of AT&T’s research.

Even today, as observed by BleepingComputer, the Ezuri-packed sample has less than a 5% detection rate on VirusTotal.

Ezuri-packed malware sample with near-zero detections on VirusTotal
Image source: BleepingComputer

Also Read: Key PDPA Amendments 2019/2020 You Should Know

Actively used by multiple threat actors

During the last few months, Caspi and Martinez identified several malware authors that pack their samples with Ezuri.

These include the cybercrime group, TeamTnT, active since at least April 2020.

TeamTnT is known to attack misconfigured Docker instances and exposed APIs to turn vulnerable systems into DDoS bots and cryptominers.

Later variants of TeamTnT’s malware, such as “Black-T” that install network scanners on infected systems and extract AWS credentials from memory were also found to be laced with Ezuri.

According to the AT&T researchers, “the last [Black-T] sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader.”

“The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020.”

The researchers also noticed the presence of the ‘ezuri’ string in multiple Ezuri-packed binaries.

Ezuri’s Indicators of Compromise (IOCs), YARA detection rules, and more information can be found in the blog post published by AT&T Alien Labs.

Additionally, Craig H. Rowland of Sandfly Security has provided tips on how to detect and mitigate Linux fileless malware like these in your environment.

Update 7-Jan-2020: Added statement from malware researcher and Ezuri creator, Bonicontro/TMZ



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us