Cybereason found that hackers used the Bitbucket service to host the malware. Researchers have found seven species of malware involved in the campaign that is still active. According to experts, the victims of this campaign have already become more than 500,000 machines, which eventually end up with a variety of threats, including miners, cryptographers, and trojans.
Researchers note that criminals have long used for their purposes many legitimate platforms, including GitHub, Dropbox and Google Drive, because the activity associated with these services is almost not suspicious. Now the same fate befell Bitbucket.
To store Malvari, attackers use several Bitbucket accounts, and malware is regularly updated. These ongoing updates, as well as the use of Themida and CypherIT Autoit packers, help to avoid detection and provide threats with some protection against analysis. Among the payloads discovered by experts were:
- Predator: infostiller, steals credentials from browsers, steals information about cryptocurrency wallets, takes screenshots, uses a camera to take photos;
- Azorult: another infostiller, steals passwords, credentials from e-mail, cookie, browser history, ID, cryptocurrency and has backdoor capabilities;
- Evasive Monero Miner: a dropper for XMRig Miner, which uses advanced masking methods to quietly mine Monero cryptocurrency;
- STOP Ransomware: an ransomware built on an open source platform that also has bootloader capabilities and is used to infect the system with additional malware;
- Vidar: infostiller, steals cookies, browser history, electronic wallet data, two-factor authentication data, and also knows how to take screenshots;
- Amadey bot : a simple trojan, mainly used to collect initial information about an infected machine;
- IntelRapid: designed to steal cryptocurrencies, steals information about various types of wallets.
Attacks within the framework of this campaign start either with phishing emails enhanced by social engineering, or with downloading pirated versions of “hacked” software (hackers disguise the malware using Adobe Photoshop, Microsoft Office, etc.).
At the same time, attackers try to infect the target machine with several types of malware at once in order to maximize the effect, collect as much confidential data as possible, and also use mining malware and ransomware. So, stolen information can be sold on the darknet, cryptocurrency can be withdrawn from the victim’s wallets, then use the miner to extract new tokens, and then, when there is nothing more to squeeze out of the infected system, use extortion malware.
Representatives of Bitbucket report that they deleted all malicious files found by the researchers within a few hours after receiving a warning.