6 February 2020

Hackers leverage Bitbucket to spread ransomware, infostealers and other malware


Hackers leverage Bitbucket to spread ransomware, infostealers and other malware

Security researchers have disclosed the details of an ongoing malicious campaign that uses the Bitbucket code hosting service to store and deliver seven types of commodity malware, including information stealers, ransomware, and coin miners. According to a latest report from cybersecurity firm Cybereason, over 500,000 hosts have been claimed by malware so far, and the campaign shows no signs of stopping.

Targets of this campaign are unsuspecting users who download cracked versions of commercial software like Adobe Photoshop, Microsoft Office, and others. The attackers are hosting malware on several Bitbucket accounts that are regularly updated, at times as often as once in an hour likely to evade detection by traditional antivirus solutions.

The observed campaign delivers several types of malware that is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. The campaign actively deploys following payloads:

Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.

Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.

Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.

STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.

Vidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.

Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.

IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.

The researchers said that most often the bait software was packed with Azorult and Predator the Thief infostealers, with the former stealing sensitive data and cryptocurrency wallets and the latter establishing a connection to Bitbucket to download additional payloads. In case the infected computer contains no data that is worth attention, the attackers deploy STOP ransomware to blackmail the victim and maintain persistence, the researchers said.

“In some ways, this attack takes persistent revenue to the next level. These attackers infect the target machine with different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of “have your cake and eat it too”, with attackers layering malware for maximum impact,” Cybereason concluded.

Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020