PyLoose: a new method of fileless attack on cloud infrastructure
Just nine lines of code allow attackers to use high-performance servers for cryptocurrency mining.
A new fileless attack called PyLoose targets various cloud services in order to install a cryptocurrency miner. “Attack consists of code Pythonwhich loads the cryptominer directly into the RAM of the environment using the well-known fileless hacking technique linux. This is the first fileless Python-based attack in the wild to target cloud services. wiz in his yesterday’s report .
The cloud security company has found about 200 instances of this attack method being used to mine cryptocurrencies. So far, nothing is known about the attackers, except that they have advanced skills and tools.
According to Wiz, the hackers managed to achieve initial access through the operation of an open service. Jupyter Notebookwhich allows you to execute system commands using Python modules.
PyLoose, first discovered on June 22, 2023, is a Python script of just nine lines of code that contains a compressed and encoded precompiled miner. XMRig.
Payload downloaded from public hosting pastebin using an HTTPS GET request and loaded directly into the memory of the Python runtime via a handle memfd without the need to write files to disk, which greatly complicates the detection of this threat.
“The attackers went to great lengths to remain undetected by using an open data exchange service to host Python payloads, adapting a fileless execution technique for Python, and compiling the XMRig miner with inline configuration to avoid disk access or command line usage,” the researchers say. .
Attacks on cloud services have recently gained popularity among attackers. Literally yesterday we wrote about a new malicious operation recently carried out by the SCARLETEEL group to exploit the infrastructure of Amazon Web Services (AWS) to steal sensitive data and illegal cryptocurrency mining.