Analysts from cybersecurity firm Wiz discovered a new fileless malware named PyLoose targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.

image

PyLoose is a Python script with a precompiled, base64-encoded XMRig miner, a widely abused open-source tool that uses CPU power cryptomining: the script is incredibly stealthy and challenging to detect by security tools, as it leaves no physical footprint on the system’s drives. Instead, it executes directly from memory, making it difficult for signature-based detection tools to identify.

The PyLoose attack chain begins with the attacker gaining initial access to a device through publicly accessible Jupyter Notebook services that fail to restrict system commands. Once the attacker has gained access, they use an HTTPS GET request to fetch the fileless payload (PyLoose) from a Pastebin-like site, “paste.c-net.org,” and load it straight into Python’s runtime memory. The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance’s memory using the “memfd” Linux utility, a known fileless malware technique in Linux.

Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.

However, the researchers comment that the adversary behind PyLoose appears highly sophisticated and stands out from the typical threat actors engaging in cloud workload attacks.


Indicator of Compromise

HASH/Domain/IP
25232290fa9fa5529240a4e893ce206dfdcfc28d0b3a1b89389f7270f1046822
d422493b47e4798717f2b05a482c97ef9e6b74b9
fec5b820594579f1088db47583d2c62d
935ee206846223e6d2db3f62d05101c0bea741e7b43e1b73c1eb008f947d5ff1
eba82ed21b329b0955ab87b2397a949628349b3f
059f83f8969b09c29c95b17452718ea3
51.75.64.249 :20128
gulf.moneroocean.stream
pool.sabu-sabu.ml
pool.xiao.my.id
85DS3ShGZwtFffeQUrDK8Db12qwCcaCHofNcZdjMkjTCfWiRv9WLe4cR2W97eGnRXwBxDhTK7Bbb

MITRE ATT&CK® Techniques

Tactic Technique
Command and Control Ingress Tool Transfer (T1105)
Command and Control Web Service (T1102)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Obfuscated Files or Information: Software Packing (T1027.002)
Defense Evasion Reflective Code Loading (T1620)
Impact Resource Hijacking (T1496)