PyLoose: New Fileless Attack Targetting Cloud Workloads
According to recent research by Wiz, a new fileless attack known as PyLoose has been seen targeting cloud workloads to deploy a cryptocurrency miner.
The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique. This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild.
Avigayil Mechtinger, Oren Ofer, and Itamar Gilad, Security Researchers
The cloud security company claimed to have discovered over 200 instances of the attack method being used to mine cryptocurrencies. Other than the fact that the threat actor has advanced capabilities, little more is currently known about them.
In the infection chain described by Wiz, initial access is obtained by taking advantage of a Jupyter Notebook service that was open to the public and permitted the use of Python modules for system command execution.
Our Readers ALSO READ
New High-Tech Toolkit Targetting MacOS Systems Recently Discovered
PyLoose, a nine-line Python script that embeds a compressed and encoded precompiled XMRig miner was originally discovered on June 22, 2023. Without having to copy the file to a disc, the payload is obtained from paste.c-net[.]org into the Python runtime’s memory using an HTTPS GET request.
The XMRig miner will be decoded and decompressed by the Python code before being loaded straight into memory via the memfd memory file descriptor, which is used to access memory-resident files.
The researchers from the research team of Wiz released a statement,
The attacker went to great lengths to be untraceable by using an open data-sharing service to host the Python payload, adapting the fileless execution technique to Python, and compiling an XMRig miner to embed its config to avoid touching the disk or using a revealing command line.
The development comes as Sysdig detailed a new attack campaign mounted by a threat actor known as SCARLETEEL that entails the abuse of AWS infrastructure to steal proprietary data and conduct illicit crypto mining.
