RESEARCH: The Hole in the Bucket – Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

The Cybereason Nocturnus Research Team is following an active campaign to deliver multiple different types of malware and infect victims all over the world. Due to the unprecedented number of malware types deployed in this attack, the attackers are able to steal a wide variety of sensitive data, mine for Monero, and ultimately deploy ransomware. All of the payloads observed in this campaign originated from a code repository platform, Bitbucket, which was abused as part of the attackers delivery infrastructure.

Key points:

• Abuses resource sharing platforms: TheCybereason Nocturnus team is investigating an ongoing campaign that abuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t satisfied with one payload, they want to use multiple to maximise their revenue.
• Attacks from all sides: This campaign deploys seven different types of malware for a multi-pronged assault on businesses. It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
• Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.
• Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.
• Many kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of their activities.
• Devastating impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.

This highlights an ongoing trend with cybercriminals, where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.