Security News > 2023 > July > New PyLoose Linux malware mines crypto directly from memory

New PyLoose Linux malware mines crypto directly from memory
2023-07-12 21:50

A new fileless malware named PyLoose has been targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.

Wiz's security researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and have since confirmed at least 200 cases of compromise by the novel malware.

The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance's memory using the "Memfd" Linux utility, a known fileless malware technique in Linux.

"The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage," explains Wiz in the report.

"Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process."

Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.


News URL

https://www.bleepingcomputer.com/news/security/new-pyloose-linux-malware-mines-crypto-directly-from-memory/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232