Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

10 months ago AndyC

Jul 12, 2023The Hacker NewsCloud Security / Cryptocurrency

A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal.

Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

Jul 12, 2023The Hacker NewsCloud Security / Cryptocurrency

Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal.

“The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique,” security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. “This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild.”

The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities.

In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules.

PyLoose, first detected on June 22, 2023, is a Python script with just nine lines of code that embeds a compressed and encoded precompiled XMRig miner. The payload is retrieved from paste.c-net[.]org into the Python runtime’s memory by means of an HTTPS GET request without having to write the file to disk.

The Python code is designed to decode and decompress the XMRig miner and then load it directly into memory via the memfd memory file descriptor, which is used to access memory-resident files.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

“The attacker went to great lengths to be untraceable by using an open data-sharing service to host the Python payload, adapting the fileless execution technique to Python, and compiling an XMRig miner to embed its config to avoid touching the disk or using a revealing command line,” the researchers said.

The development comes as Sysdig detailed a new attack campaign mounted by a threat actor known as SCARLETEEL that entails the abuse of AWS infrastructure to steal proprietary data and conduct illicit crypto mining.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Expert-Led Webinar - Uncovering Latest DDoS Tactics and Learn How to Fight Back

Expert-Led Webinar – Uncovering Latest DDoS Tactics and Learn How to Fight Back

20 hours ago AndyC
Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

20 hours ago AndyC
New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

20 hours ago AndyC
NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

20 hours ago AndyC
Google Announces Passkeys Adopted by Over 400 Million Accounts

Google Announces Passkeys Adopted by Over 400 Million Accounts

1 day ago AndyC
Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

1 day ago AndyC

You may have missed

LockBit published data stolen from Simone Veil hospital in Cannes

LockBit published data stolen from Simone Veil hospital in Cannes

8 hours ago AndyC

Friday Squid Blogging: Squid Purses

8 hours ago AndyC
Monash Health data caught up in attack on records digitisation provider

Monash Health data caught up in attack on records digitisation provider

14 hours ago AndyC
Russia-linked APT28 and crooks are still using the Moobot botnet

Russia-linked APT28 and crooks are still using the Moobot botnet

14 hours ago AndyC

My TED Talks – Schneier on Security

14 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.