Security News > 2023 > July > New PyLoose Linux malware mines crypto directly from memory
A new fileless malware named PyLoose has been targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
Wiz's security researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and have since confirmed at least 200 cases of compromise by the novel malware.
The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance's memory using the "Memfd" Linux utility, a known fileless malware technique in Linux.
"The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage," explains Wiz in the report.
"Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process."
Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
News URL
Related news
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Researchers discover first UEFI bootkit malware for Linux (source)
- BootKitty UEFI malware exploits LogoFAIL to infect Linux systems (source)
- New DroidBot Android malware targets 77 banking, crypto apps (source)
- Crypto-stealing malware posing as a meeting app targets Web3 pros (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New stealthy Pumakit Linux rootkit malware spotted in the wild (source)