Wiz researchers found a new malware called PyLoose, attacking the cloud workloads to mine Monero cryptocurrencies with the compromised resources.
The malware is considered a novel one since it uses a fileless attacking method. Researchers noted the PyLoose malware runs directly in Python’s runtime memory of a compromised device, thus evading detection from any regular security tools.
Minting Coins Without Detection
Researchers at Wiz Security noted a new malware in the wild, targeting cloud instances to exploit their resources for mining cryptocurrencies. Naming it PyLoose, researchers discovered this malware first on June 22nd this year and noted nearly 200 compromise instances since then.
The threat actors behind this operation start by hitting publicly exposed Jupyter Notebook services, which are connected to the targeted cloud workloads. And since the Jupyter Notebook doesn’t effectively restrict system commands, threat actors remotely inject the malware to compromise the system.
Once they have the Jupyter Notebook control, the threat actor issues an HTTPS GET request to procure the payload from Pastebin – to run it directly in Python’s runtime memory. This is executed with the help of a Linux tool called memfd, say researchers.
The payload dumped in the memory is a pre-programmed XMRig miner, an open-source Monero mining tool often exploited for illegal mining, which mints coins for the threat actor. And since they don’t leave any physical evidence during the process, there’s no way of identifying who the actual threat actor was, making the entire attack a fileless technique.
As we wait for more details on this attacking vector, researchers advise the system admins of cloud workloads to restrict access with passwords and multi-factor authentication to secure them. Also, cutting their access is susceptible to code execution and limiting the command execution abilities is recommended.
