Researchers at Wiz Security documented a novel malware called PyLoose, exploiting cloud workloads to mine Monero cryptocurrencies.
PyLoose is a fileless malware since it leaves no trace on the exploited machine anywhere. The malware is procured remotely by the threat actor and is executed directly in Pythonโs runtime memory โ making it difficult for regular security tools to detect. Admins of cloud workloads are advised to be vigilant and secure their networks.
Leaving No Trace of Attack
A new malware is in the wild targeting exposed cloud workloads, where the unknown threat actor is exploiting the victimโs resources for mining Monero cryptocurrencies. Wiz researchers named the novel malware PyLoose, which runs in Pythonโs runtime memory to avoid detection.
Researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and noted at least 200 compromise cases. The threat actors begin by accessing the publicly available Jupyter Notebook services since they fail to restrict system commands. Finding the initial access, the threat actor then issues an HTTPS GET request to procure the payload from Pastebin and execute it directly in Pythonโs runtime memory.
Researchers said the perpetrators use Linuxโs memfd tool to execute the payload. And as it loads directly into the systemโs memory unit, thereโs no trace left behind by the threat actors. As such, researchers could not attribute this attack to any specific threat actor. But they claim the team behind this is sophisticated since targeting cloud instances with fileless attacks.
Once loaded, the fileless malware will use the victimโs resources to mine Monero cryptocurrencies for the threat actor, which will be transported to the hackerโs wallet later. As thereโs not much identifiable information on this malware, users should be vigilant of suspicious activity in their systems.
Thus, the system admins of any cloud instances are recommended to cut public exposure of their services if theyโre susceptible to code execution. Also, they should use strong passwords and multi-factor authentication to protect access to those services and enable system command execution restrictions.