HQ/EMEAFind out how we can help your business
PyLoose, a newly emerged fileless malware, has been targeting cloud workloads to hijack computational resources. Based on reports, the recently discovered malware uses this technique to mine Monero cryptocurrency.
Researchers explained that PyLoose is a relatively straightforward Python script with a precompiled, base64-encoded XMRig miner, which is a widely used open-source tool that leverages CPU power to solve complex algorithms needed for cryptomining operations.
In addition, the new malware’s direct execution from memory allows it to become an incredibly stealthy and hard-to-trace payload that poses challenging threats to security solutions.
Researchers said that fileless malware is a very elusive tool since it leaves no physical trace on a compromised system’s drives. Hence, it is less vulnerable to signature-based detection solutions. Fileless malware strains also employ legitimate system tools to inject malicious code into authentic processes.
The PyLoose malware operators start their attack through the Jupyter Notebook services.
The PyLoose malware campaign initiates after the operators acquire initial access to targeted devices via publicly accessible Jupyter Notebook services that failed to restrict system commands.
Subsequently, the threat actors use an HTTPS GET request to recover the fileless payload from a Pastebin-like site and load it into Python’s runtime memory. The attack will also decode and decompress the PyLoose script to load a precompiled XMRig miner directly into the instance’s memory using the memfd Linux utility.
This tactic allows the attackers to run payload execution directly from memory, avoiding commonly used security solutions. Lastly, the attack loads an XMRig miner into the infected cloud instance’s memory that uses the MoneroOcean mining pool to harvest Monero cryptocurrency.
Researchers could not attribute the PyLoose malware campaign to any particular threat group since the attackers are adept at hiding proper evidence in their attacks. Some researchers explained that the PyLoose operators appear to be highly sophisticated malware operators; hence, they are not the typical attackers that engage in cloud workload campaigns.
Therefore, cloud instance admins should avoid the public exposure of services prone to code execution. Furthermore, experts advise organisations to utilise solid passwords and employ the MFA feature to prevent unwanted access to valuable services.
