PyLoose, a New Fileless Malware Targets Cloud Workspace

Highlights:

• The PyLoose attack uses memfd, a Linux fileless method, to load an XMRig miner into memory.
• PyLoose was first discovered on June 22 and gained access through a Jupyter Notebook service available to the users.

Researchers from the cybersecurity organization Wiz Inc. reported discovering a fileless virus that targets cloud workloads.

The attack, known as “PyLoose,” is reportedly the first documented Python-based malware that targets cloud workloads. Instead of using conventional executable files, a fileless attack uses tools and features already present in the software running on the target system. Due to the evasion strategies, the attack poses a severe threat to conventional security systems.

The PyLoose attack uses memfd, a Linux fileless method, to load an XMRig Miner into memory. By taking advantage of the operating system’s capabilities, the attack avoids the necessity of writing payloads on a disc.

PyLoose was first discovered on June 22 and gained access through the Jupyter Notebook service, which is available to the public. The malware’s creators then downloaded a fileless payload from a website like Pastebin into the Python runtime’s memory, eliminating the need for disc storage and streamlining the attack procedure.

According to the researchers, the attack cannot be associated with a specific threat organization. The use of an open data-sharing site to host the Python payload, the conversion of fileless execution to Python, and the implantation of the XMRig miner configuration indicates the involvement of a highly capable and equipped threat actor.

Certain measures can be implemented to defend against PyLoose. The researchers advise users against exposing services like Jupyter Notebook, which can permit code execution. Additional security can be achieved by employing robust authentication techniques like multifactor authentication and a centrally managed identity platform.

The researchers also reported, “These attacks serve as a reminder that organizations should have a security posture solution in place to help security teams eliminate toxic risk combinations, in addition to a runtime protection solution that quickly detects and responds to breaches.”