Meet PyLoose – First Python-Based Fileless Attack in the Wild

Researchers from the cloud security firm Wiz.io have documented an innovative fileless cyberattack that targets cloud workloads. This Python-based attack, which the team has named PyLoose, is the first of its kind to be publicly recorded.

Discovered through the Wiz Runtime Sensor, PyLoose utilizes Python code to load an XMRig Miner directly into memory by leveraging memfd, a known Linux fileless technique. Initial findings show the attack has been used for crypto mining in nearly 200 instances. 

The PyLoose moniker stems from the URL that hosted the Python loader: https://paste[.]c-net.org/chattingloosened.

Fileless attacks like these are known for their elusiveness. Rather than relying on writing payloads to disk, they exploit operating system features such as Linux's memfd RAM-based filesystem. This makes them hard to identify with conventional security measures. Prior to PyLoose, the last reported fileless attack on cloud workloads was detected two and a half years ago by AT&T.

Inside the PyLoose Attack

PyLoose is a fairly simple Python script that holds a compressed and encoded precompiled XMRig miner. It was first identified on June 22, 2023, through the Wiz's Runtime Sensor. Interestingly, the script was uploaded to VirusTotal from Norway the same day.

The PyLoose attack unfolded in several stages:

• Initial Access: The attacker gained access through an exposed Jupyter Notebook service that failed to restrict the execution of system commands.
• Python Script Drop: The attacker avoided saving the file to disk by downloading the fileless payload directly into the Python runtime’s memory.
• Python Script Fileless Execution: The script decoded and decompressed the XMRig miner and then loaded it into memory via memfd.
• In-Memory XMRig Execution: The file in memory, identified as an XMRig, connected to a remote IPv4 address associated with the MoneroOcean mining pool.

Why Go Fileless?

Fileless attacks have gained popularity among threat actors for a few reasons. They are challenging to detect as they necessitate advanced security solutions equipped with runtime behavior-based analysis and memory monitoring techniques. They are also difficult to investigate due to the temporary nature of the payload "living" in memory.

Moreover, these types of attacks are still relatively rare, potentially leading security teams to prioritize other threats.

The Role of Memfd in Fileless Attacks

Memfd, a Linux feature, is often exploited in fileless attacks. It creates anonymous memory-backed file objects that can be used for different purposes. Attackers abuse this feature to execute payloads without writing them to disk, thereby sidestepping traditional security tools that rely on basic binary scans.

No Clear Attribution

Despite the clear sophistication behind the PyLoose attack, researchers have not been able to attribute it to any specific threat actor. The attackers used several evasion techniques, including using an open data-sharing service to host the Python payload, adapting the fileless execution technique to Python, and compiling an XMRig miner with embedded config to avoid touching the disk or using revealing command lines.

Protection Against PyLoose and Similar Threats

Security professionals can take several steps to mitigate threats like PyLoose:

• Avoid public exposure to services like Jupyter Notebook.
• Implement robust password or security token protocols.
• Limit the execution of system commands and other unrestricted execution vectors.

This case study underlines the crucial importance of adopting sophisticated and proactive cybersecurity measures that go beyond traditional solutions, especially in a cloud environment. As cyber threat actors continue to innovate and refine their tactics, so too must the defenses against them.