Full Report
PyLoose is a newly discovered Python-based fileless malware targeting cloud workloads. Get a breakdown of how the attack unfolds and the steps to mitigate it.
Analysis Summary
# Tool/Technique: PyLoose (Fileless Cryptomining Attack)
## Overview
PyLoose is a newly documented, fileless cryptomining attack specifically targeting cloud workloads running on Linux. It utilizes a Python script to load a precompiled XMRig cryptominer directly into memory, avoiding disk writes to evade traditional security defenses. The attack was observed leveraging vulnerabilities in publicly exposed Jupyter Notebook services.
## Technical Details
- Type: Malware/Attack Chain (Technique Abuse)
- Platform: Linux (Targeting cloud workloads)
- Capabilities: Fileless execution, in-memory loading of cryptominer, leveraging OS features (`memfd`) for execution.
- First Seen: June 22nd, 2023 (First detection by Wiz Runtime Sensor).
## MITRE ATT&CK Mapping
- [T1071 - Application Layer Protocol]
- [T1105 - Ingress Tool Transfer] (Implied by the initial download)
- [T1071 - Application Layer Protocol]
- [T1102 - Web Service] (Using HTTPS GET request to download payload from paste sites)
- [T1027 - Defense Evasion]
- [T1140 - Deobfuscate/Decode Files or Information] (Base64 decoding)
- [T1027.002 - Software Packing] (Decompression of payload using `zlib`)
- [T1218 - Signed Binary Proxy Execution]
- [T1620 - Reflective Code Loading] (Loading ELF binary into memory via `memfd` and executing)
- [T1486 - Data Encrypted for Impact]
- [T1496 - Resource Hijacking] (Cryptomining via XMRig)
## Functionality
### Core Capabilities
- Exploits leaky Jupyter Notebook services that fail to restrict system command execution via Python modules (`os`, `subprocess`).
- Downloads a compressed and base64-encoded XMRig miner from a Pastebin-equivalent site (`paste.c-net.org`).
- Decodes and decompresses the XMRig payload in memory.
- Leverages the Linux `memfd_create` syscall (syscall number 319) to create a file descriptor in RAM and writes the payload there.
- Executes the miner directly from the memory file descriptor (`memfd`) without touching the disk.
### Advanced Features
- The attack chain was generated using the open-source tool `fileless-elf-exec`.
- Utilizes a recent version of XMRig (v6.19.3).
- Aims for cryptomining, specifically connecting to the MoneroOcean mining pool.
## Indicators of Compromise
- File Hashes:
- PyLoose loader (SHA-256): `25232290fa9fa5529240a4e893ce206dfdcfc28d0b3a1b89389f7270f1046822`
- XMRig payload (SHA-256): `935ee206846223e6d2db3f62d05101c0bea741e7b43e1b73c1eb008f947d5ff1`
- File Names: N/A (Fileless execution, but initial command attempt used `wget -O-`)
- Registry Keys: N/A
- Network Indicators:
- Cryptomining C2/Pool 1: `51[.]75[.]64[.]249:20128`
- Cryptomining Pool FQDN 1: `gulf.moneroocean.stream`
- Cryptomining Pool FQDN 2: `pool.sabu-sabu.ml`
- Cryptomining Pool FQDN 3: `pool.xiao.my.id`
- Behavioral Indicators: Invocation of `memfd_create` syscall (319) followed by writing executable content and launching a process from a `memfd` path.
## Associated Threat Actors
- Not explicitly attributed to a known major threat actor, but the technique echoes previous fileless activity seen from groups like TeamTNT (using Ezuri).
## Detection Methods
- Signature-based detection: Signatures exist for the known file hashes (loader and payload).
- Behavioral detection: Monitoring for the use of the `memfd_create` syscall to load and execute arbitrary code, especially when preceded by decoding/decompression activities. Monitoring for XMRig processes.
- YARA rules: Not specified in the article.
## Mitigation Strategies
- Restrict command execution within sandboxed or restricted environments like Jupyter Notebooks to prevent the use of system modules (`os`, `subprocess`).
- Implement runtime protection solutions capable of monitoring low-level syscalls (like `memfd_create`) and memory artifacts.
- Scan for and remove known cryptomining payloads (e.g., XMRig).
- Secure internet-facing services (like Jupyter Notebooks) to prevent initial access via command injection.
## Related Tools/Techniques
- **Ezuri:** An open-source tool written in Go used previously by TeamTNT to load fileless payloads via memory loading techniques.
- **XMRig:** The specific cryptomining software deployed.
- **memfd/memfd_create:** The underlying Linux fileless technique abused.