A new fileless malware named PyLoose targets cloud workloads to hijack their compute resources for Monero cryptocurrency mining.
PyLoose is a relatively simple Python script with a precompiled, base64-encoded XMRig miner, a widely abused open-source tool that uses CPU power to solve the complex algorithms needed for cryptomining.
According to Wiz researchers, running PyLoose directly from memory makes it incredibly stealthy and difficult for security tools to detect.
Fileless malware leaves no physical footprints on system disks, so it is less vulnerable to signature-based detection and usually uses legitimate (living off the ground) system tools to inject malicious code into legitimate processes .
Wiz security researchers first detected PyLoose attacks in the wild on June 22, 2023, and have since confirmed at least 200 cases of compromise by the new malware.
“As far as we know, this is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild, and our evidence shows nearly 200 cases where this attack has been used for mining cryptocurrencies,” explains the new Wiz report.
PyLoose attack chain
Wiz observed attacks that began with gaining initial access to devices through publicly available Jupyter Notebook services, which failed to restrict system commands.
The attacker uses an HTTPS GET request to retrieve the fileless payload (PyLoose) from a Pastebin-like site, “paste.c-net.org”, and load it directly into Python’s runtime memory.
The PyLoose script is decoded and unpacked, loading a precompiled XMRig miner directly into instance memory using the Linux “memfd” utility, a known fileless malware technique under Linux.
“The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous file objects saved in memory that can be used for various purposes, such as inter-process communication or temporary storage”, explain Wiz in the report.
“Once the payload is placed in a memory section created via memfd, attackers can invoke one of the exec system calls on that memory content, treat it as if it were a normal file on disk, and thus start a new process.”
This allows attackers to execute the payload directly from memory, bypassing most traditional security solutions.
The XMRig miner loaded into the memory of the compromised cloud instance is a fairly recent version (v6.19.3) that uses the “MoneroOcean” mining pool to mine Monero.
Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
The researchers comment that the adversary behind PyLoose looks very sophisticated and stands out from typical threat actors who engage in cloud workload attacks.
It is recommended that administrators of cloud instances avoid public exposure of services susceptible to code execution, use strong passwords and multi-factor authentication to protect access to these services, and impose system command execution restrictions.