Bitbucket used to deploy arsenal of malware to thousands

by Ugnius Kiguolis - -

The malicious campaign has reached over 500,000 machines worldwide

Cyber crooks employ BitBucket for the delivery of various malware

The Bitbucket[1] code hosting service is being exploited by malicious actors for the distribution of several malware types. According to the latest information, this campaign has already affected more than 500K businesses all over the world. The criminals have been pushing dangerous infections, some of which aim to steal personal information, mine cryptocurrency on the infected computer system, and even deliver ransomware payload.

According to researchers from Cybereason,[2], the variety of malware distributed allows them to attack a wider range of victims and seek multiple goals at the same time.The attackers seem to use various Bitbucket accounts for the infection processes:

Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another. The payloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.

Because the used accounts are updated frequently, as well as the usage of Themida and CypherIT Autoit packers, malware can avoid being detected by anti-malware software and various system analysis. Besides, the latest packer is also used to include AZORult trojan that can also obfuscate the infections. Researchers also found out that some updates were loaded up as frequently as every three hours.

The seven types of distributed malware explained

The main victims of the malicious campaign appear to be people who are looking for cracked variants of tools like  Microsoft Office and Adobe Photoshop. However, Bitbucket is not the only online storage platform that is being abused for malware-related purposes. Hackers also target other directories such as DropBox, Google Drive, and GitHub.[3]

According to multiple news sources, the malicious attempt by abusing Bitbucket aims to distribute and install the following malware forms that include the mentioned operating modules:

  1. STOP ransomware.[4] This cyber threat locks up all files and documents that are found on a Windows computer and asks for a ransom payment for decryption software. Also, the threat can open a backdoor for other malware.
  2. AZORult. This is a Trojan virus that can infiltrate other malware and steal sensitive information such as login details, passwords, banking information, technical device details, and other personal data; additionally, it captures data from cryptowallets and VoIP applications.
  3. Vidar. Another information-stealing malware form that records browsing information such as the user's online trail, HTTP cookies, digital wallet data, multi-factor authentication details.It can also take screenshots.
  4. Evasive Monero Miner. Places the XMRig miner that mines Monero cryptocurrency on the infected PC.
  5. Predator. The cyber threat gathers personal information and steals credential data from web browser apps. It can also take screenshots, capture photos through the machine's camera, and steal money from cryptocurrency wallets.
  6. IntelRapid. This one aims to steal money from various cryptocurrency wallets.
  7. Amadey bot. Operates as a regular Trojan virus and is employed for completing searches on the infected device.

AZORult and Predator malware are the main information stealers that serve as a channel for other malicious forms. Particular Bitbucket accounts were discovered to hold around ten thousands of downloads for some virtual parasites.

Ransomware is employed again if no valuable content is found on the targeted device

All users need to be careful not to get lured in such malicious attempts as downloading dangerous malware to the computer system can result in monetary losses and damage to Windows OS. If you get your personal information captured, the cybercriminals can put it up for sale on the dark web[5] market. Additionally, if you reveal credentials, you can get your bank account wiped out.

Various malware forms can aim to steal important files from your system or corrupt them. Nevertheless, you might spot damaged software that cannot be fixed easily. Regarding this fact, always make sure that you employ a powerful anti-malware tool that can be difficult for malicious actors to deactivate. 

If hackers abusing the Bitbucket platform do not find any sensitive data on the infected computer system, they launch a repeated ransomware infection in order to collect at least some income. However, this malicious campaign can bring significant success to the cybercriminals as these people employ different types of malware at once and have already resulted in infecting approximately 500,000 machines. Luckily, Cybereason experts succeeded in informing Bitbucket Support about the campaign, and the company deactivated it within a few hours.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

Your opinion regarding Bitbucket used to deploy arsenal of malware to thousands