Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining
The new fileless attack was dubbed PyLoose there have been observed conspicuous cloud workloads with the aim of providing cryptocurrency miners, new findings from Wiz reveal.
“The attack consisted of Python code loading XMRig Miner directly into memory using memfdtechnique without known Linux files,” security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. “This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild.”
The cloud security firm said it found nearly 200 instances where attack methods were used for cryptocurrency mining. No other details about the threat actor are known at this time other than the fact that they have sophisticated capabilities.
In the infection chain documented by Wiz, early access was achieved through exploits of the publicly accessible Jupyter Notebook service which allows execution of system commands using Python modules.
PyLoose, first detected on June 22, 2023, is a Python script with only nine lines of code embedding the compressed and pre-compiled encoded XMRig miner. The payload is loaded from paste.c-net(.)org into Python runtime memory via an HTTPS GET request without having to write the file to disk.
(embed)https://www.youtube.com/watch?v=eSnAlkipvOg(/embed)
The Python code is designed to decode and decompress the XMRig miner and then load it directly into memory via the memory file descriptor memfd, which is used to access memory resident files.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“Attackers strive to remain untraceable by using open data sharing services to host Python payloads, adapting fileless execution techniques to Python, and compiling the XMRig miner to embed their configurations against touching disks or using the command line,” the researchers said.
The developments come as Sysdig details a new attack campaign mounted by a threat actor known as SCARLETEEL that involves abusing AWS infrastructure to steal proprietary data and perform illegal crypto mining.
