Pyloose

In July, Wiz researchers issued a warning about PyLoose, a malicious software (malware) composed of Python code. This malware is designed to covertly load an XMRig miner—a program used for cryptocurrency mining—into a computer's memory using the memfd Linux fileless process. This technique allows the malware to operate without leaving traces on the hard drive, making it particularly challenging to detect and remove. The name "PyLoose" originates from the URL that hosted the Python loader: https://paste[.]c-net.org/chattingloosened. The PyLoose attack was discovered through the Wiz Runtime Sensor and unfolded in several stages, with initial access gained through an exposed Jupyter Notebook service that failed to restrict the execution of system commands. Once inside the system, the fairly simple Python script holds a compressed and encoded precompiled XMRig miner. This marked the first reported fileless attack on cloud workloads since one detected by AT&T two and a half years prior. To mitigate threats like PyLoose, security professionals are advised to take several precautionary measures. One such measure is to avoid public exposure to services like Jupyter Notebook, which was exploited in this attack. By limiting access and restricting the execution of system commands, potential entry points for similar attacks can be significantly reduced.