The new wireless attack called Pyloose is aimed at various cloud services to install a cryptocurrency miner. “The attack consists of the Python code, which loads the crypto-miner directly into the operational memory of the medium using the well-known Linux napal hacking technique. This is the first python-based attack in the wild, aimed at cloud services,” Wiz experts said in their yesterday’s report.
The cloud security company discovered about 200 cases of using this attack method for cryptocurrency mining. So far, nothing is known about the attackers, except that they have advanced skills and tools.
According to Wiz, the initial access to the hackers managed to achieve through the operation of the open service Jupyter Notebook, which allows you to execute system commands using the Python modules.
Pyloose, first discovered on June 22, 2023, is a script on Python of only nine lines of code, which contains a compressed and encoded pre-compiled miner Xmrig.
The payload is downloaded from the public hosting Pastebin using the GTTPS-request Get and is loaded directly in the memory of the Python execution environment through the Memfd descriptor without the need to write files to the disk, which significantly complicates the detection of this threat.
“Attackers made great efforts to remain unnoticed, using the open data exchange service for the payload on Python, adapting the paramillar execution technique for Python and compiling the XMRIG miner with the built-in configuration to avoid contacting the disk or the use of the command line,” the researchers say.
Attacks on cloud services have recently gained popularity among attackers. Just yesterday, we wrote about a new malicious operation, which was recently conducted by the SCARLETEEL group to use the Amazon Web Services (AWS) infrastructure for the theft of confidential data and illegal cryptocurrency mining.