Researchers from Wiz.io have recently discovered a new fileless attack targeting cloud workloads, named PyLoose.
The Attack Unveiled
The attack was first detected by Wiz’s Runtime Sensor on June 22, 2023. The attacker gained access to a publicly accessible Jupyter Notebook service, which failed to restrict the execution of system commands. The PyLoose payload was then downloaded from a Pastebin-equivalent website into the Python runtime’s memory, avoiding saving the file to the disk.
The Python script, which is only 9 lines long, holds a compressed and encoded precompiled XMRig miner. It decodes, decompresses, and loads the XMRig miner directly into memory via the memory file descriptor, memfd. The miner then connects to the remote MoneroOcean mining pool.
Why Fileless Attacks?
Fileless attacks are more evasive than traditional attacks as they do not rely on writing payloads to disk. They are harder to detect and investigate, and are less common, making them a preferred choice for sophisticated threat actors.
Mitigation Steps
To prevent attacks like PyLoose, Wiz.io recommends avoiding publicly exposing services like Jupyter Notebook, using complex passwords or centrally managed identity platforms with strong authentication methods, and constraining the execution of system commands.
For more details, you can read the full report by Avigayil Mechtinger, Oren Ofer, and Itamar Gilad on Wiz.io.
