Cybercriminals are co-opting online storage platforms

Last week, Cybereason researchers Assaf Dahan and Lior Rochberger published news about an active campaign by hackers. The campaign delivers a collection of malware to vulnerable devices that can steal data, mine for Monero cryptocurrency, and deliver ransomware to victims all over the world.  

Their research highlighted an ongoing trend with cybercriminals, where they allegedly misuse online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to disseminate malware. Storing malicious payloads on trusted platforms allows attackers to bypass security products to exploit the trust given to legitimate online services. Also, it provides the attackers with another way of reducing the risk of exposure to their servers by separating the delivery infrastructure (online storage platforms) from the servers.

Dahan said the Cybereason security team discovered seven different Bitbucket repositories that were being used to distribute the following malware: 

Predator is an information stealer that steals credentials from browsers, using the camera to take pictures, takes screenshots, and steals cryptocurrency wallets. Azorult is an information stealer with backdoor capabilities that illicitly takes passwords, email credentials, cookies, browser history, IDs and cryptocurrencies. The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero while staying under the radar.

There’s also the STOP Ransomware, which is used to ransom the file system and is based on an open-source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware. Vidar is an information-stealer that not only takes screenshots but also steals web browser cookies and history, digital wallets, and two-factor authentication data. Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine. IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.

This attack begins when an unsuspecting user tries to download a cracked version of commercial software like Adobe Photoshop, Microsoft Office, and others, according to the Cybereason researchers. Hackers often target users looking for “free” commercial products by bundling legitimate software with different kinds of malware. When the user goes to install the “free commercial software,” it downloads Azorult and Predator onto the vulnerable machine. Once activated, the malware begins communicating with a command and control system residing on a separate platform.

The payloads originated from various user accounts in Bitbucket, a code repository platform. The account repositories are updated frequently and use Themida as a packer to evade detection by antivirus products and thwart analysis attempts. After being notified by Cybereason of the malicious repositories, Bitbucket Support deactivated the accounts within a few hours. It is tough to assess how many other software repositories could be compromised in similar ways. 

Due to the extensive range of exploit types used in this recent multi-pronged campaign, attackers can overwhelm victims from all sides. The hackers do not have to confine themselves to one attack goal or another, giving them a more persistent source of revenue. This active campaign has infected over 500,000 machines globally to date, with hundreds of devices more affected every hour. The attack is a stark reminder that people should remain highly suspicious of any offers for free software.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.