PyLoose Fileless Attack Explained
Fileless attacks are a type of cyber attack that don’t rely on traditional malware files being written to the victim’s disk. Instead, they leverage legitimate software and system tools already present on the targeted system to carry out malicious activities. By operating solely in memory and leaving no traces on the disk, fileless attacks pose a significant challenge for traditional security measures.
There’s a new tricky attack called PyLoose out there, and it’s sneaking into cloud-based systems with a plan to set up a cryptocurrency miner. According to Wiz, PyLoose is a Python script with only nine lines of code, and it hides an XMRig miner that’s both shrunk down and scrambled up. This hidden stuff is moved from pastebin straight into the memory with an HTTPS GET request wget -O- URL, so it doesn’t have to be written to the disk.
Here’s the explanation of this 9 line Python script, decoded and clarified for your understanding.
In this Python script, four modules are imported initially: ctypes, os, base64, and zlib. The ctypes module allows interaction with C shared libraries, os enables operating system interactions, base64 assists in decoding a Base64 encoded payload, and zlib is utilized for decompressing the decoded payload.
A C library is loaded using ctypes.CDLL(None), following which the syscall function is obtained from the library. This function enables the script to make system calls directly. Next, a Base64 encoded payload, represented here as a series of dots (b'......'), is decoded. The decoded payload is then decompressed using zlib.decompress(), reverting it to its original form before the encoding and compression steps.
The syscall() function is subsequently employed to create an anonymous file in memory. The syscall number 319 corresponds to ‘memfd_create’, a Linux system call that generates an anonymous file. This file descriptor is maintained in memory and doesn’t link to the file system, offering an efficient way to manage temporary files.
The decompressed payload is written into the anonymous file using os.write(). Following this, a path to the file descriptor is crafted in the proc filesystem as /proc/self/fd/%d, where %d will be replaced with the file descriptor.
Finally, os.execle() is used to supplant the current process with a new one. The new process begins by calling the executable at the ‘proc_path’. Thus, this script decodes, decompresses, and executes a Base64 encoded and zlib compressed payload in an anonymous file, without ever writing it to the disk.
