A Python-based, fileless attack named PyLoose targets cloud workloads by loading a precompiled XMRig cryptominer directly into memory using memfd, with evidence of nearly 200 instances. The campaign leveraged publicly exposed Jupyter Notebook services and a Pastebin-like host to fetch the payload, making it difficult to detect since no payload is written to disk. #PyLoose #memfd
Keypoints
- PyLoose is a Python-based, fileless attack that loads an XMRig miner into memory via memfd, targeting cloud workloads.
- Approximately 200 instances were observed delivering the cryptominer, making it one of the few documented fileless cloud attacks.
- The attack starts from a publicly exposed Jupyter Notebook service with weak command restrictions, enabling code execution.
- Payloads are downloaded from paste.c-net.org via HTTPS GET and loaded into memory without touching disk.
- The loader decodes base64, decompresses with zlib, creates a memfd, writes the payload, and executes it from memory.
- The in-memory XMRig miner connects to the MoneroOcean mining pool (e.g., 51.75.64.249:20128) and uses multiple mining pool endpoints.
- MITRE technique mapping includes Ingress Tool Transfer, Web Service, Deobfuscate/Decode, Software Packing, Reflective Code Loading, and Resource Hijacking.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The attacker downloaded the fileless payload from paste.c-net.org into the Python runtime’s memory by making an HTTPS GET request in a way that avoids saving the file to the disk. [“The attacker downloaded the fileless payload from paste.c-net.org (a Pastebin-equivalent website) [T1102] into the Python runtime’s memory by making an HTTPS GET request in a way that avoids saving the file to the disk.”]
- [T1102] Web Service – The payload was obtained from paste.c-net.org, described as a Pastebin-equivalent website. [“paste.c-net.org (a Pastebin-equivalent website) [T1102].”]
- [T1140] Deobfuscate/Decode Files or Information – The payload was base64-encoded and decoded prior to execution. [“Decodes the payload using the base64 algorithm [T1140].”]
- [T1027.002] Obfuscated Files or Information: Software Packing – The entire fileless payload was compressed with zlib and encoded in base64. [“entire fileless payload compressed with zlib and encoded in base64.”]
- [T1620] Reflective Code Loading – The malware was invoked directly from memory via a memfd, without touching disk. [“Invokes syscall number 319 with arguments that match:
memfd_create(name=””, flags=MFD_CLOSEXEC)” …”Invokes the malware directly from memory via the new memfd [T1620].”] - [T1496] Resource Hijacking – The in-memory payload was identified as XMRig, a cryptominer, and connected to a mining pool. [“The in-memory file was quickly identified as an XMRig [T1496] with embedded config 6.19.3, … connected to the remote IPv4 address 51.75.64[.]249 … MoneroOcean mining pool.”]
Indicators of Compromise
- [File Hashes (SHA-256)] 25232290fa9fa5529240a4e893ce206dfdcfc28d0b3a1b89389f7270f1046822 (PyLoose loader), 935ee206846223e6d2db3f62d05101c0bea741e7b43e1b73c1eb008f947d5ff1 (XMRig payload)
- [File Hashes (SHA-1)] d422493b47e4798717f2b05a482c97ef9e6b74b9 (PyLoose loader), eba82ed21b329b0955ab87b2397a949628349b3f (XMRig payload)
- [File Hashes (MD5)] fec5b820594579f1088db47583d2c62d (PyLoose loader), 059f83f8969b09c29c95b17452718ea3 (XMRig payload)
- [Network Endpoint] IPv4: 51.75.64.249:20128 (Miner pool network endpoint)
- [DNS / FQDN] gulf.moneroocean.stream; pool.sabu-sabu.ml; pool.xiao.my.id (Cryptomining pool network endpoints)
- [Wallet] 85DS3ShGZwtFffeQUrDK8Db12qwCcaCHofNcZdjMkjTCfWiRv9WLe4cR2W97eGnRXwBxDhTK7BbbE2Z7t4gjXRz1VLPmhn7 (Attacker’s Monero wallet address)
Read more: https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads