Active Campaign Uses BitBucket Cloud Storage Platform to Deliver 7 Different Malware Payloads
Hackers are increasingly using legitimate online storage platforms to host their malware. It’s a ‘living-off-the-internet’ scenario with similar advantages to living-off-the-land during a system compromise — the bad stuff is hidden in plain sight and easily overlooked.
Cybereason’s Nocturnus researchers have discovered an ongoing campaign that takes this approach to the next level — multiple malwares stored on BitBucket and downloaded as a form of layered malware able to maximize each successful compromise. It is proving very successful. Cybereason has determined from the number of downloads that some 500,000 computers may have already been infected, and the toll is still increasing with hundreds of new infections every hour.
Part of the success is down to the lengths the attackers go to ensure the malware isn’t discovered and removed from BitBucket. They use multiple accounts that are frequently updated. The stored malware is frequently updated, sometimes every hour, with new versions created using Themida as a packer to avoid detection by anti-malware products and thwart analysis attempts. One of the malwares, Azorult, also uses the CypherIT Autoit packer for additional protection from discovery.
The full range of malware that is delivered in this campaign includes Predator (information stealer), Azorult (information stealer with backdoor capabilities), Evasive Monero Miner (dropper for XMRig Miner), STOP ransomware (based on an open source ransomware platform), Vidar (another information stealer), Amadey bot (primarily used for collecting reconnaissance information), and IntelRapid (a cryptocurrency stealer).
As a result, the campaign can steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It can also take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
“This research is particularly interesting,” say the researchers, “because of how the attackers chose to infect a single target machine with multiple different kinds of malware… Each piece of malware in this campaign makes the attack stronger, with additional capabilities and features for a greater impact.”
The infection method leverages the common user desire for free commercial software, such as Photoshop or Office. The attackers advertise free, cracked versions, but provide a zip that includes Predator and/or Azorult. When the user attempts to install the free software, Predator and Azorult are dropped. Azorult immediately steals data and deletes all trace of itself to cover its tracks. This is a quick and dirty approach to stealing data and is likely used to ensure the attacker gets some benefit even if the attack is quickly discovered. After this, Predator connects to BitBucket and starts to download additional payloads.
Predator is the primary downloader. First it downloads a secondary downloader that grabs a different, encoded and evasive version of Azorult, delivered in a certificate form. This is decoded using certutil.exe. The decoded payload is executed via AutoIt (renamed to Ism.com): a freeware scripting tool used for general scripting and automating the Windows GUI. Azorult scans the system for sensitive data and cryptocurrency wallets, packs the stolen data and sends it to the attacker — and then deletes itself.
Other malware that can be downloaded includes further information stealers to maximize the amount and range of data stolen, a crypto miner for long term financial gain, and the STOP ransomware as the coup de grace.
The crypto miner is originally delivered as the Evasive Monero Miner, which is itself a dropper for the XMRig Miner. The dropper sets the scene for XMRig. It checks for various anti-malware products and Windows SmartScreen on the system. It also holds four onion domains encoded in Base64. When ready, it connects to one of these domains via TOR, downloads the malware and terminates tor.exe. It then injects the XMRig code into memory.
The STOP ransomware was first detected in 2018, but has evolved and improved its encryption and evasion. It is downloaded and executed by Predator. It checks that it is not running in a VM, and creates a folder in %AppData%, copies its binary there, and changes access control to the file using icacls so others cannot access it. STOP creates a RUN registry key and a scheduled task to execute itself every five minutes. It connects to its C2 server, sends it the MD5 hash of the MAC address, and downloads a key for file encryption. There is no current decryption tool included in the NoMoreRansom project.
The campaign is typical of attackers increasingly making use of legitimate services — in this case BitBucket — in their attacks. Files received from these generally trusted sources are less likely to be blocked at entry. This is a first however: “These attackers,” say the researchers, “infect the target machine with seven different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of ‘have your cake and eat it too’, with attackers layering malware for maximum impact.”