New Fileless Linux Malware PyLoose Targets Cloud Workloads for Cryptomining

The cybersecurity landscape has been rattled by a new strain of fileless Linux malware called PyLoose, reportedly among the few, if not the first, Python-based fileless attack targeting cloud workloads. The malware has already infected around 200 instances, harnessing their computational resources to mine Monero cryptocurrency, says cloud security company Wiz.

Despite its fairly complex operations, PyLoose is simple in nature, consisting of a Python script with a precompiled XMRig miner encoded in base64. The XMRig miner, an open-source tool favored by hackers, uses the computational power of CPUs to solve sophisticated cryptomining algorithms.

What makes PyLoose particularly challenging for security tools to detect is its fileless nature, which means it operates directly from the machine's memory. It leaves no trace on the compromised system's drives, making it virtually immune to signature-based detection.

Fileless malware like PyLoose often "live off the land," using legitimate tools to inject malicious code into genuine processes. In this case, PyLoose utilizes the memfd (memory file descriptor) Linux utility, commonly employed by fileless malware, to load the XMRig miner into the instance's memory.

"Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process," the Wiz researchers explained. This method allows the payload to be executed directly from the memory, bypassing most traditional security measures.

The initial entry point for the PyLoose malware is reportedly through publicly accessible Jupyter Notebook services with inadequate system command restrictions. The malware is fetched from a Pastebin-like website via an HTTPS GET request and injected directly into Python's runtime memory.

Although the Wiz team has been unable to attribute the PyLoose campaign to a specific threat actor due to the absence of identifiable evidence, they agree that the perpetrator's level of sophistication distinguishes them from the usual threat actors targeting cloud workloads.

PyLoose is a stark reminder of the increasing complexity and stealth of cyberthreats, emphasizing the importance of robust security and constant vigilance in defending against evolving malware attacks.