Danny's Newsletter

Share this post

Danny's Newsletter
Danny's Newsletter
PyLoose: First Python-Based Fileless Attack in the Wild
Copy link
Facebook
Email
Notes
More

PyLoose: First Python-Based Fileless Attack in the Wild

Danny
Jul 18, 2023
1

Share this post

Danny's Newsletter
Danny's Newsletter
PyLoose: First Python-Based Fileless Attack in the Wild
Copy link
Facebook
Email
Notes
More
Share

Imagine a Cybersecurity attack, and it's only 9 lines of code 🤯. 

This is not a typo. I read about an attack last week observed in the wild that caught my attention.

"This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild."

- The Hacker News

In this post we’ll go over some of the details about this novelty. 

Although utilizing the compute power of Linux hosts and containers to mine cryptocurrency is nothing new, the way this attack was deployed was.

Here’s a high level overview of the attack 

A combination of a publicly exposed Jupyter Notebook service, open sharing service, XMRig miner, obfuscation, and system commands being executed, made this attack possible. What makes this attack interesting is that it's just native system commands being used. 

What’s even crazier? It's only 9 lines of code. 

Deep Dive 

Let’s take a deeper dive into the functionality of this script. 

  • Line 1 is all the imports of libraries. 

  • Lines 2 and 3 are system calls, from the C library that was imported in line 1.

  • The payload piece of the script is that it contains a compressed and encoded XMRig miner. 

  • Lines 4 and 5 are decoding and then decompressing the miner. It fetches the payload from paste.c-net[.]org

  • Line 6 is utilizing memfd, a Linux OS native system call. It stands for memory file descriptor, and allows for loading directly into memory, ‘319’ is the syscall number for memfd. 

    • This allows loading of “anonymous files” into memory but still behaving like a regular file. 

  • Line 7 is writing the decompressed data and the anonymous file. 

  • Line 8 is the path to the anonymous file created. 

  • And line 9 is executing the file at the path from line 8. 

This caught a lot of attention in the Security community due to it being the first “fileless” attack in Python. 

Due to the functionality of memfd, anonymous files are used, all while remaining in memory (RAM). Therefore, not writing them to disk. 

Conclusion

Leveraging OS native commands to get the job done, makes it harder to detect for defenders.  Which is enticing for the attackers. These kinds of fileless attacks will be on the rise.  

Ways to mitigate or detect this? 

  • Limit public access to services (Jupyter Notebook)

  • Consider using Python Audit Hooks 

  • Monitor services like pastebin 

I hope you got a lot of value out of it and that this helps you in your Cybersecurity journey. 

Thanks for reading! Subscribe for free to receive new posts and support my work

Share Danny's Newsletter

Sources

https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html

https://hackage.haskell.org/package/memfd#:~:text=%22memfd%22%20

1

Share this post

Danny's Newsletter
Danny's Newsletter
PyLoose: First Python-Based Fileless Attack in the Wild
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Danny
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More