Cybereason Discovers a Global Outbreak of Malware Attacks Using Bitbucket

Share Article

Cybercriminals are carrying out targeted attacks against companies around the world utilizing a shotgun approach with many different types of malware. Cybereason's researchers determined 500,000 + workstations are infected around the world.

Cybereason, creators of the leading Cyber Defense Platform, today announced that its Nocturnus research team released its newest research findings The Hole in the Bucket, which uncovers an arsenal of malware actively abusing Bitbucket to steal data, mine for cryptocurrency, and deliver ransomware to victims all over the world. Today, more than 500,000 workstations have been infected.

Due to the variety of malware types deployed in this active attack, attackers are not limited to one attack vector, but can hit victims over and over again. The payloads observed in this campaign originated from different accounts in the code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.

Key Findings:

Abuses Resource Sharing Platforms: This ongoing campaign abuses the Bitbucket infrastructure to store and distribute a large collection of different malware.

Attacks From All Sides: This campaign is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and, in certain cases, also deploy ransomware.

Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.

Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.

Malware Variety: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware, including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of the campaign.

Devastating Impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organizations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.

“This research is interesting because of how the attackers infect a single target machine with multiple different kinds of malware. These kinds of commodity malware are often used for a one-off infection to steal data on the machine and sell it in underground hacking communities. However, in this attack, the attackers chose to integrate malware like coin miners and ransomware, which gives them a more persistent source of revenue,” said Lior Rochberger, Threat Hunter, Cybereason

About Cybereason
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint prevention, detection and response and active monitoring. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Cybereason is privately held and is headquartered in Boston, with offices in London, Sydney, Tel Aviv, Tokyo, Asia-Pacific and continental Europe.

Learn more:
Follow us: Blog | Twitter | Facebook

Media Contact:
Bill Keeler
Senior Director, Global Public Relations
(929) 259-3261

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Keeler
Visit website