PyLoose: The First Python-Based Fileless Attack to Target Cloud-Based Workloads

Security researchers from Wiz recently discovered the first Python-based fileless attack to target cloud-based workloads, PyLoose. Fileless attacks are a type of cyberattack in which hackers do not rely on executable files to carry out the attack, but rather exploit the tools and features of software used by victims, making it easier for them to bypass any countermeasures and detection systems.

How PyLoose Works

PyLoose uses a Linux-based fileless technique, memfd, to load a so-called XMRig Miner directly into memory. This eliminates the need for hackers to write malicious payloads to a victim’s disk first. The technique exploits the system features of the OS.
The infection process begins with a public Jupyter Notebook service. Hackers then download a fileless payload from a Pastebin-like website and download it into Python’s runtime memory. This means that no disk storage is required, and the attack process can be optimized by simplifying the command structure.
The complexity of the attack suggests that it involves highly trained and knowledgeable attacker(s). However, it is not known who is behind the attack.

Solutions to Counter PyLoose

Wiz indicates that the attack can be countered. They recommend not using public services such as Jupyter Notebook, as these may result in (remote) code execution. In addition, robust authentication such as the use of MFA and a centrally managed identity platform provide further protection. Microsoft has also taken steps to prevent hackers from tampering with the Sysmon detection tool.