An ongoing attack has so far delivered a cocktail of malicious wares to more than 500,000 machines on the Internet by abusing Bitbucket, the source code management system operated by Atlassian, researchers reported on Wednesday.
The attack, carried out by multiple holders of malicious Bitbucket accounts, distributes an array of malware that carries out a wide range of nefarious actions. Siphoning email credentials and other sensitive data, installing ransomware, stealing cryptocurrency, and surreptitiously freeloading on electricity and computing resources to mine cryptocurrency are all included. Researchers at security firm Cybereason said the ongoing attack has already generated more than 500,000 downloads, an indication that the attack may be infecting a sizable number of users.
“This campaign deploys an arsenal of malware for a multi-pronged assault on businesses,” Cybereason researchers Lior Rochberger and Assaf Dahan wrote in a report. “It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and in certain cases also deploy ransomware.”
To lure targets into downloading the malware, attackers use multiple Bitbucket user accounts that are updated regularly. The accounts offer versions of Adobe Photoshop and other commercial software that has had its copy protections removed so people can install it without paying a licensing fee. The installation files are bundled with code that surreptitiously installs malware. Like the fraudulent accounts, the malicious offerings, available on Bitbucket, are updated regularly—as often as every few hours—likely in an attempt to avoid detection by antivirus products.
The cocktail of malware includes:
- Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.
- Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.
- Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.
- STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.
- Vidar: Vidar is an information stealer that steals Web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.
- Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.
- IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.
Having your cake and eating it too
The first malware that’s installed after clicking on one of the pirated wares are Predator and Azorult. These are the programs that steal passwords and other sensitive data, take screenshots, pilfer cryptocurrency wallets, and download the additional malware from Bitbucket. The Cybereason post details how the other malicious wares work.
Wednesday’s post said that Bitbucket officials removed the malicious downloads within hours of being notified. In a statement, Bitbucket officials wrote:
We are constantly working to ensure that users do not store illegal information on Bitbucket or break our terms of service. Atlassian Acceptable Use Policy does not allow content that “contains viruses, bots, worms, scripting exploits, or other similar materials.“ As soon as we were informed of malware hosted on Bitbucket and confirmed the accuracy of the report, we disabled all the affected repositories. To help protect our services, we are continuing to invest in improving the automated capabilities we use to prevent misuse and enforce our terms of service.
The attack is the latest reminder that people should remain highly skeptical of any offers for free software. The Cybereason researchers, meanwhile, said the campaign is a coup for the attackers because it maximizes their profits.
“In some ways, this attack takes persistent revenue to the next level,” the researchers wrote. “These attackers infect the target machine with different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of ‘have your cake and eat it too,’ with attackers layering malware for maximum impact.”
This post has been updated to make clear third parties are abusing Bitbucket to distribute the warez.