A newly discovered attack campaign has been abusing the online storage platform Bitbucket to maintain and update a wide assortment of malware, in a plot to infect computer users who download free, cracked versions of commercial software from the internet.
Researchers at Cybereason’s Nocturnus team, who uncovered the threat, estimate that more than 500,000 machines worldwide have already been affected.
A typical infection in this campaign begins with the installation of the Predator the Thief and Azorult information stealers, but can subsequently result in the deployment of the Evasive Monero Miner, STOP ransomware, the Vidar info stealer, the Amadey bot trojan and the IntelRapid cryptocurrency stealer.
“Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another,” explains a blog post today from Cybereason Nocturnus researchers Lior Rochberger and Assaf Dahan.
The attackers behind the campaign created numerous Bitbucket user accounts to host secondary malware payloads, which the actors would regularly update, as frequently as once per hour. And to conceal their activity, the malicious actors have been using the Themida software protection system and multiple packing tools.
“This research highlights an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware,” the blog post states. This technique helps bypass security products that trust legitimate online services, and reduces the risk that a cybercriminal group’s C2 infrastructure will be exposed, the report continues.
Cybereason says Bitbucket deactivated the observed malicious repositories within hours of being informed about the cybercriminal scheme.
“We are constantly working to ensure that users do not store illegal information on Bitbucket or break our terms of service,” said a spokesperson from Atlassian, Bitbucket’s operator. “Acceptable Use Policy does not allow content that ‘contains viruses, bots, worms, scripting exploits, or other similar materials.’ As soon as we were informed of malware hosted on Bitbucket and confirmed the accuracy of the report, we disabled all the affected repositories. To help protect our services, we are continuing to invest in improving the automated capabilities we use to prevent misuse and enforce our terms of service.”
Users have been infected after downloading cracked versions of Adobe Photoshop, Microsoft Office and other commercial software, which were secretly bundled with Predator the Thief and Azorult. It is always recommended that computer users only download commercial software from legitimate, trusted websites.
“Using the promise of free software that is otherwise rather expensive, these attackers are using our human nature against us in order to drop some pretty nasty malware onto people’s computers,” said Erich Kron, security awareness advocate at KnowBe4. “People need to be reminded that downloading cracked software is likely to carry a significant cost of its own in the long run.”
Predator the Thief steals credentials from browsers, takes unauthorized pictures and screenshots and steals cryptocurrency wallets, while Azorult features backdoor capabilities and also swipes passwords, email credentials, cookies, browser history, IDs and cryptocurrencies. After Azorult executes, Predator connects to Bitbucket to download the aforementioned secondary payloads, potentially causing victims even more headaches.
“In some ways, this attack takes persistent revenue to the next level,” Cybereason concludes in its report. “These attackers infect the target machine with different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of ‘have your cake and eat it too,’ with attackers layering malware for maximum impact.”