Security News > 2023 > July > New PyLoose Linux malware mines crypto directly from memory

A new fileless malware named PyLoose has been targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
Wiz's security researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and have since confirmed at least 200 cases of compromise by the novel malware.
The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance's memory using the "Memfd" Linux utility, a known fileless malware technique in Linux.
"The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage," explains Wiz in the report.
"Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process."
Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
News URL
Related news
- Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware (source)
- Crypto-stealing iOS, Android malware found on App Store, Google Play (source)
- SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- GrassCall malware campaign drains crypto wallets via fake job interviews (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)