Threat actors are abusing the Bitbucket code hosting service to host seven types of malware that has already claimed more than 500,000 business computers.

Cybereason researchers reported that attackers are abusing the Bitbucket code hosting service to store seven types of malware that were employed in an ongoing campaign. According to the experts, the malware already claimed more than 500,000 business computers worldwide.

The arsenal of attackers includes data stealers, cryptocurrency miners, and ransomware, that literally hit victims from all sides.

“ Cybereason is following an active campaign to deliver an arsenal of malware that is able to steal data, mine for cryptocurrency , and deliver ransomware to victims all over the world. Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another.” reads the analysis published by Cyberreason. “The payloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.”

Attackers abuse legitimate online storage platforms to bypass security products due to the trust given to legitimate online services. The use of online storage platform also allows attackers to reduce the exposure to their C2 server infrastructure by separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.

The attackers are hosting malware on several Bitbucket accounts, the malicious codes receive frequent updates. Cybereason discovered the following payloads actively deployed in this campaign:

Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.

Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets. Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.

Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities. Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.

The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar. STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.

The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware. Vidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.

Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots. Amadey bot : Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.

: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine. IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.

Attackers are using Themida as a p acker to evade detection and the CypherIT Autoit p acker to p ack Azorult and attempt to p rotect it from the analysis

The usage of multiple payloads on a single system allows attackers to maximize their efforts, especially when the infected systems belong to a corporate network.

The attackers camouflage the malware with bogus cracked versions of commercial software, “Adobe Photoshop, Microsoft Office, and others.”

Most of the tainted crackers observed in this campaign include Azorult and Predator the Thief data stealers.

Experts discovered some Bitbucket repositories linked to each other hosting the same p iece of malware with the same names, the operators behind this campaign in some cases p rovided updates as often as three hours.

“Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples.” continues the report. “Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour. ”

More than 500,000 machines have been infected already compromised, experts observed hundreds of new infections every hour.

Experts noticed that when there is nothing to steal from the infected system, attackers deploy the STOP ransomware to blackmail the victims and maintain persistence.

“Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security p ractitioners must find ways to evolve faster and ensure the security of these trusted resources so we can stay ahead of these threats.” concludes the report that also includes Indicators of Compromise (IoCs).

Pierluigi Paganini

( SecurityAffairs – bitbucket, hacking)

Share this...

Linkedin Reddit Pinterest

Share On