Malware stew cooked up on Bitbucket, deployed in attacks worldwide
Bitbucket is the latest legitimate hosting provider to be abused by cybercriminals to spread malware.
In a campaign revealed by Cybereason researchers Lior Rochberger and Assaf Dahan on Wednesday, threat actors are actively delivering an “unprecedented number of malware types” in a new international attack wave.
All of the malware has been hosted on Bitbucket. When legitimate hosting services are abused — including Google Drive, GitHub, and Dropbox — it is usually a quick affair to have users reported and malicious files removed, but in this case, the cybersecurity firm says that an array of user profiles are in use and are being updated regularly, sometimes as often as every hour, in order to avoid disrupting criminal operations.
According to the report, over 500,000 machines have been infected by malware used in this campaign so far — and the attacks show no signs of stopping.
The malware families in use are extensive. The first is Predator, an information-stealing malware variant, first observed by Fortinet in 2018 after making the rounds on Russian underground forums. Predator, written in C/C++, is able to steal data including system information and browser credentials, compromise web cameras, and replace cryptocurrency wallet addresses in the buffer. The malware has recently been rewritten to become fileless.
Azorult is up next. First discovered in 2016, this malware strain is another information stealer that is also able to establish a Remote Desktop Protocol (RDP) connection via hidden administrator account creation on infected machines. Azorult is often spread through the Fallout exploit kit.
A dropper is also in use. Known as the Evasive Monero Miner, the dropper is used to deploy an XMRig cryptocurrency miner that “uses advanced evasion techniques to mine Monero and stay under the radar,” according to the team.
Ransomware, a particularly disruptive form of malware that recently hit the news after bringing Travelex to a stop for weeks, also features in the cyberattackers’ arsenal. The form they have chosen to deploy is called STOP which reportedly demands between $300 and $600 from victims. Cybereason says that STOP is also able to download additional malware payloads.
If these were not enough, now enters Vidar, C++ spyware that is able to search compromised machines for particular files to steal, grab browser cookie IDs and histories, tamper with cryptocurrency wallets, take screenshots, and potentially intercept 2FA protections, among other functions. IntelRapid, too, has been linked to the campaign, a cryptocurrency stealer able to compromise different forms of wallet.
The Amadey bot is also present; but unlike some of the other malware variants mentioned, it is a simple Trojan bot used for reconnaissance on target machines. RigEK and Fallout exploit kits have distributed Amadey in the past.
TechRepublic: 4 key trends to hit the cybersecurity industry in 2020
Themida and CypherIT Autoit are used as packers in an attempt to avoid detection or analysis.
The infection vector begins with either phishing emails enhanced via social engineering or the download of cracked software.
Attribution, as in many cases, is a difficult proposition, but the team continues to actively track the operators. Cybereason reached out to Bitbucket with the firm’s findings and the company is investigating. Assaf Dahan, senior director of threat hunting at Cybereason told ZDNet that the files have been removed for now.
“Attackers continue to abuse legitimate online storage platforms for their own gain. With immediate parallels to the benefits of living-off-the-land binaries, legitimate applications are an easy, trusted way for attackers to gain entry and spread malware within an organization,” the researchers say. “These attackers infect the target machine with seven different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of “have your cake and eat it too”, with attackers layering malware for maximum impact.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0