Researchers at Wiz Security documented a novel malware called PyLoose, exploiting cloud workloads to mine Monero cryptocurrencies.

PyLoose is a fileless malware since it leaves no trace on the exploited machine anywhere. The malware is procured remotely by the threat actor and is executed directly in Python’s runtime memory – making it difficult for regular security tools to detect. Admins of cloud workloads are advised to be vigilant and secure their networks.

Leaving No Trace of Attack

A new malware is in the wild targeting exposed cloud workloads, where the unknown threat actor is exploiting the victim’s resources for mining Monero cryptocurrencies. Wiz researchers named the novel malware PyLoose, which runs in Python’s runtime memory to avoid detection.

Researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and noted at least 200 compromise cases. The threat actors begin by accessing the publicly available Jupyter Notebook services since they fail to restrict system commands. Finding the initial access, the threat actor then issues an HTTPS GET request to procure the payload from Pastebin and execute it directly in Python’s runtime memory.

Researchers said the perpetrators use Linux’s memfd tool to execute the payload. And as it loads directly into the system’s memory unit, there’s no trace left behind by the threat actors. As such, researchers could not attribute this attack to any specific threat actor. But they claim the team behind this is sophisticated since targeting cloud instances with fileless attacks.

Once loaded, the fileless malware will use the victim’s resources to mine Monero cryptocurrencies for the threat actor, which will be transported to the hacker’s wallet later. As there’s not much identifiable information on this malware, users should be vigilant of suspicious activity in their systems.

Thus, the system admins of any cloud instances are recommended to cut public exposure of their services if they’re susceptible to code execution. Also, they should use strong passwords and multi-factor authentication to protect access to those services and enable system command execution restrictions.