Cybereason, a provider of endpoint protection software, today disclosed that it discovered a malware campaign that has been leveraging Bitbucket repositories from Atlassian to launch cyberattacks.
Assaf Dahan, senior director for threat research at Cyberseason, said the repositories have been taken offline since first being discovered last month by Atlassian. However, Dahan noted this is only the latest example of public software repositories such as Google Drive or GitHub that are trusted by many individuals being employed to distribute malware. Cybercriminals are employing these repositories because it’s unlikely they will get blacklisted, he said.
In this example, Dahan said the Cybereason security team discovered seven different Bitbucket repositories that were being used to distribute the following malware:
- Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots and steals cryptocurrency wallets.
- Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs and cryptocurrencies, and has backdoor capabilities.
- Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.
- STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.
- Vidar: Vidar is an information-stealer that steals web browser cookies and history, digital wallets and two-factor authentication data, and takes screenshots.
- Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.
- IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.
Cybercriminals were able to leverage Bitbucket by creating several user accounts that are updated frequently. Regular updates to the malware stored on these accounts and the use of Themida as a packer enabled the cybercriminals to evade detection by antivirus products in addition to thwarting analysis attempts. They also use the CypherIT Autoit packer to pack Azorult malware, which provided an additional layer of protection against analysis.
Dahan said the cybercriminals distributing tended to be especially “greedy” because the research team discovered endpoints that had been infected by seven different strains of malware. Cybereason researchers discovered the role Bibucket repositories were playing in this malware attack after endpoints at several customer sites were compromised, he said.
Despite employing Bitbucket, Dahan said it’s unlikely the malware was created using a set of DevOps practices wrapped around a public repository. Instead, the malware was created elsewhere and then moved to the repository for distribution. Once activated, he said, the malware would begin communicating with a command and control system residing on a separate platform.
It’s difficult to assess how many other public software repositories might be compromised in similar ways. Dahan said this type of malware campaign illustrates why it’s important to download software only from a trusted repository. In addition, organizations should make end user training to recognize phishing attacks mandatory, he said.
The challenge now, of course, will be reviewing the degree to which the current policies organizations have in place against downloading software from public repositories are actually being adhered to by every member of the organization.