Security News > 2023 > July > New PyLoose Linux malware mines crypto directly from memory
A new fileless malware named PyLoose has been targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
Wiz's security researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and have since confirmed at least 200 cases of compromise by the novel malware.
The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance's memory using the "Memfd" Linux utility, a known fileless malware technique in Linux.
"The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage," explains Wiz in the report.
"Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process."
Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
News URL
Related news
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- Crypto-stealing malware campaign infects 28,000 people (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)