Linux devices are under threat from fileless XMR virus
Date: 2023-07-15 Author: Karina Ziganova Categories: CRYPTO PAYMENTS, IN WORLD
A virus called PyLoose has learned to hide in the RAM of devices for traceless XMR mining
A viral Python script called PyLoose has targeted the Linux operating system to mine the monero (XMR) cryptocurrency. This is written by analysts of the IT firm Wiz. As experts found out, the script hides in the memory of devices, which makes it extremely difficult to detect it by antiviruses. According to researchers, since June 2023, the virus has managed to carry out at least two hundred attacks. Who exactly may be behind the development of the virus is unclear.
Wiz believes that this is the first ever documented case of a fileless malicious virus based on Python. The virus infects victims' devices via the cloud. At the time of writing, experts have found that the virus is often used through a web notebook with support for code compilation called Jupyter Notebook.
To carry out the attack, the attacker sends a GET request to download malicious code to the victim's device. In case of a successful connection, the virus is loaded directly into the RAM, and from there the hidden XMRig miner is launched to mine cryptocurrency through the MoneroOcean pool.
Analysts urged users to avoid contact with web services that can compile and run code through the cloud. For owners of Linux systems, Wiz advised to limit the execution of system commands.
In May, the editors wrote that macOS-based devices were also threatened by a new virus that steals information, including data from cryptocurrency wallets. Analysts at Cyble labs have found that a virus called Atomic (AMOS) is distributed through a subscription model through Telegram. The subscription price is $1000 per month. The virus itself is stored in the form of a .dmg file. It is based on malicious scripts based on the Go language.
The virus steals passwords, files from the local system, cookies, as well as credit card data that can be stored in Chrome, Firefox, Brave, Edge, Opera, Yandex, Vivaldi and OperaGX browsers. The virus also hunts for data from browser extensions like MetaMask, Phantom, Coinbase, Trust Wallet and wallets like Electrum, Binance, Exodus, Atomic Wallet, Coinmi, Guarda, TronLink, Trezor, and so on.
