Analysts from cybersecurity firm Wiz discovered a new fileless malware named PyLoose targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
PyLoose is a Python script with a precompiled, base64-encoded XMRig miner, a widely abused open-source tool that uses CPU power cryptomining: the script is incredibly stealthy and challenging to detect by security tools, as it leaves no physical footprint on the system’s drives. Instead, it executes directly from memory, making it difficult for signature-based detection tools to identify.
The PyLoose attack chain begins with the attacker gaining initial access to a device through publicly accessible Jupyter Notebook services that fail to restrict system commands. Once the attacker has gained access, they use an HTTPS GET request to fetch the fileless payload (PyLoose) from a Pastebin-like site, “paste.c-net.org,” and load it straight into Python’s runtime memory. The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance’s memory using the “memfd” Linux utility, a known fileless malware technique in Linux.
Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
However, the researchers comment that the adversary behind PyLoose appears highly sophisticated and stands out from the typical threat actors engaging in cloud workload attacks.
Indicator of Compromise
MITRE ATT&CK® Techniques
|Command and Control||Ingress Tool Transfer (T1105)|
|Command and Control||Web Service (T1102)|
|Defense Evasion||Deobfuscate/Decode Files or Information (T1140)|
|Defense Evasion||Obfuscated Files or Information: Software Packing (T1027.002)|
|Defense Evasion||Reflective Code Loading (T1620)|
|Impact||Resource Hijacking (T1496)|