Threat actors are abusing the Bitbucket code hosting service to host seven types of malware that has already claimed more than 500,000 business computers.
Cybereason researchers reported that attackers are abusing the Bitbucket code hosting service to store seven types of malware that were employed in an ongoing campaign. According to the experts, the malware already claimed more than 500,000 business computers worldwide.
The arsenal of attackers includes data stealers, cryptocurrency miners, and ransomware, that literally hit victims from all sides.
“Cybereason is following an active campaign to deliver an arsenal of malware that is able to steal data, mine for cryptocurrency, and deliver ransomware to victims all over the world. Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another.” reads the analysis published by Cyberreason. “The payloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.”
Attackers abuse legitimate online storage platforms to bypass security products due to the trust given to legitimate online services. The use of online storage platform also allows attackers to reduce the exposure to their C2 server infrastructure by separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.
The attackers are hosting malware on several Bitbucket accounts, the malicious codes receive frequent updates. Cybereason discovered the following payloads actively deployed in this campaign:
Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.
Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.
Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.
STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.
Vidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.
Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.
IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.
Attackers are using Themida as a packer to evade detection and the CypherIT Autoit packer to pack Azorult and attempt to protect it from the analysis
The usage of multiple payloads on a single system allows attackers to maximize their efforts, especially when the infected systems belong to a corporate network.
The attackers camouflage the malware with bogus cracked versions of commercial software, “Adobe Photoshop, Microsoft Office, and others.”
Most of the tainted crackers observed in this campaign include Azorult and Predator the Thief data stealers.
Experts discovered some Bitbucket repositories linked to each other hosting the same piece of malware with the same names, the operators behind this campaign in some cases provided updates as often as three hours.
“Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples.” continues the report. “Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour. ”
More than 500,000 machines have been infected already compromised, experts observed hundreds of new infections every hour.
Experts noticed that when there is nothing to steal from the infected system, attackers deploy the STOP ransomware to blackmail the victims and maintain persistence.
“Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security practitioners must find ways to evolve faster and ensure the security of these trusted resources so we can stay ahead of these threats.” concludes the report that also includes Indicators of Compromise (IoCs).
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
February 05, 2020
