Cryptojacking attack on cloud workloads uses fileless Python malware

With increased deployment of security solutions on cloud infrastructure, hackers have started adopting detection evasion tactics from Windows desktop computers to cloud environments. One such tactic is the use of fileless payloads that never create files on disk and are loaded directly into the system’s memory where some monitoring solutions don’t look.

“We have recently detected a new fileless attack targeting cloud workloads,” researchers from cloud security company Wiz said in a new report. “The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique. As far as we know, this is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild, and our evidence shows close to 200 instances where this attack was used for cryptomining.”

The PyLoose malware

The Wiz researchers dubbed the new malware payload PyLoose based on strings in the URL attackers deployed it from. The payload was found on unprotected instances of Jupyter Notebook, an open-source web-based interactive computing platform that can be deployed on cloud servers and supports over 40 programming languages including Python.

In addition to being publicly accessible, these instances did not restrict access to certain Python modules like os and subprocess that can result in the execution of system commands. The attackers used Python code to first download and execute a script that was created with an open-source tool called fileless-elf-exec.

The script imported libraries for direct syscall invocation, for os command execution, base64 operations, and zlib decompression. It then proceeded to decode and decompress a payload and used memfd to create a memory buffer, write the payload contents to it, and invoke it directly from memory.

Memfd stands for the "memory file descriptors" and is a Linux feature that allows the storage of file objects in memory for use in inter-process communication or as temporary storage. “Threat actors sometimes abuse this Linux feature to execute payloads without writing them to disk, and thus avoid traditional security tools that rely on basic binary scans,” the Wiz researchers said. “Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process.”

Processes spawned from memfd contents can be fairly easily identified, if they’re looked for, because the symbolic links they point to will not be file paths on disk but entries of the type /memfd. In this case, the payload executed from memory was a pre-compiled version of XMRig, an open-source program for mining cryptocurrency that is commonly used in cryptojacking attacks — attacks where computing resources are hijacked to mine cryptocurrency without the owner’s approval.

Fileless attacks on Linux are rare

Fileless attacks on Linux servers are not new, but they’re relatively rare for cloud workloads. The benefits to attackers is that they’re harder to detect without behavior-based and memory-monitoring security solutions, they make post-compromise forensic investigations harder because the payloads disappear from memory when the cloud workloads stop and security teams are not yet familiar with these techniques.

One of the few other instances of documented fileless attacks against Linux servers occurred in 2021, when a hacker group known as TeamTNT deployed a payload written in Go lang by leveraging a memory loader tool called Ezuri.

With PyLoose ,”the attacker went to great lengths to be untraceable by using an open data-sharing service to host the Python payload, adapting the fileless execution technique to Python, and compiling an XMRig miner to embed its config to avoid touching the disk or using a revealing command line,” the Wiz researchers said. “All these steps suggest that the adversary has a level of sophistication not commonly observed in most publicly documented cloud workload attacks.”

The researchers advise companies to avoid exposing services like Jupyter Notebook publicly, using multifactor authentication or other strong identity platforms to access such services, and to restrict features that can lead to the execution of system commands.