February 5, 2020 | 9 minute read
Cybereason is following an active campaign to deliver an arsenal of malware that is able to steal data, mine for cryptocurrency, and deliver ransomware to victims all over the world. Due to the variety of malware types deployed in this attack, attackers are able to hit victims from all sides and do not have to limit themselves to one attack goal or another. The payloads observed in this campaign originated from different accounts in code repository platform Bitbucket, which was abused as part of the attackers delivery infrastructure.
The following malware are deployed and updated using Bitbucket by the threat actor:
Cybereason reached out to Bitbucket Support and the malicious repositories mentioned in the report were deactivated within a few hours.
The flow of the Bitbucket multi-payload attack.
This research highlights an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.
In this campaign, the attackers abuse the Bitbucket platform by creating several user accounts that are updated frequently. Regular updates to the malware stored on these accounts and the use of Themida as a packer are used to evade detection by antivirus products and thwart analysis attempts. They also use the CypherIT Autoit packer to pack Azorult and give additional layers of protection against analysis.
This research is particularly interesting because of how the attackers infect a single target machine with multiple different kinds of malware. These kinds of commodity malware are often used for a one-off infection to steal data on the machine and sell it in underground hacking communities. However, in this attack, the attackers chose to integrate malware like coin miners and ransomware, which gives them a more persistent source of revenue. Each piece of malware in this campaign makes the attack stronger, with additional capabilities and features for a greater impact.
For a synopsis of this research, check out the Bitbucket Threat Alert.
This attack starts with an unsuspecting user downloading a cracked version of commercial software like Adobe Photoshop, Microsoft Office, and others. Threat actors often target users looking for “free” commercial products by bundling legitimate software with different kinds of malware. In this instance, we are seeing vast amounts of cracked software bundled with the Azorult Infostealer and Predator the Thief.
Predator the Thief is an information stealer that steals sensitive data like passwords from browsers, takes pictures, takes screenshots, and steals cryptocurrency wallets. Predator had previously been delivered via exploit kits like the RIG Exploit Kit and through phishing attacks.
When a user attempts to install the “free commercial software”, it actually drops Azorult and Predator onto the target machine. Azorult (download.exe) immediately starts stealing information and deleting its binary to cover its tracks. After Azorult executes, Predator (dowloadx.exe) creates a connection to Bitbucket to begin downloading additional payloads.
Cybereason UI: the attack tree of the execution of the malicious zip file.
We identified the download URLs for additional payloads of Azorult and the Evasive Monero Miner from a Bitbucket repository at hxxps://bitbucket[.]org/patrickhornvist/repo/ by unpacking Predator.
Deobfuscated strings in memory from downloadx.exe show download URLs of other malware.
There are multiple additional payloads on Bitbucket:
Screenshot of the Bitbucket repo: https://bitbucket[.]org/patrickhornvist/repo/downloads
Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples. Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour.
It’s worth noting that the payloads on Bitbucket are updated almost constantly by the threat actor, sometimes as often as every few hours. This is likely done to avoid detection by traditional antivirus by replacing old binaries with fresh ones unknown to AV engines.
Azorult is an information stealer that uses a quick and dirty approach to steal sensitive data. After it successfully steals sensitive information, it deletes any trace of itself by removing all associated files.
Predator downloads a secondary downloader which is used to download an evasive version of Azorult. In order to download Azorult, this downloader connects to hxxps://2no[.]co/2QqYb5 and downloads an encoded file in a certificate form named bolo.com.
The encoded Azorult payload, a file named bolo.com.
The downloader uses certutil.exe , a native Windows binary, to decode the payload using the living-off-the-land technique. We have previously reported how the Ramnit trojan has been decoded using this technique. The contents of the decoded payload have another layer of obfuscation as well.
The decoded Azorult payload - grol.
To execute the decoded payload, the malware launches the Autoit compiler, which the threat actor renamed to lsm.com. AutoIt is a freeware scripting language used to automate the Windows GUI and general scripting. It is compatible with all versions of Windows with no prerequisites, which makes it a useful tool for attackers looking to create malware.
Cybereason UI: the attack tree of the evasive Azorult execution.
Once executed, Azorult scans the file system and searches for sensitive data like browser data, cookies, email clients and cryptocurrency wallets. It copies this data to the %TEMP% directory, packs it, and sends it to the attacker. Once all information has been exfiltrated, Azorult removes all data copied to %TEMP% and deletes its binary to cover its tracks.
The STOP Ransomware was first discovered in 2018, but began its most aggressive campaigns in early 2019. Over the year, it evolved to strengthen its encryption and evade detection, and at one point was even used to deliver Azorult onto victim’s systems.
Predator downloads the STOP Ransomware from Bitbucket (111.exe) and executes it. STOP gathers information about the target machine by accessing api.2ip.ua and checks to see if it is running on a VM.
STOP creates a folder in %AppData%, copies its binary there, and changes access control to the file using icacls so others cannot access it.
STOP creates a RUN registry key and a scheduled task to execute itself every five minutes. While running, it connects to the C2 server, sends the C2 the MD5 hash of the MAC address, and downloads a key for file encryption.
STOP also downloads additional payloads onto the machine, including:
updatewin.exe and updatewin2.exe help STOP evade detection, and the other payloads are independent pieces of malware: the Visel Trojan, the infamous Vidar stealer, and several other files.
Cybereason UI: the process tree of STOP Ransomware and Vidar stealer.
Vidar is a well-known information stealer that collects system information, passwords from browsers, email, and two-factor authentication software data. It stores stolen data in a randomly named folder in %ProgramData% and sends the info to its C2 server, besfdooorkoora[.]com. After the data is sent to the attacker, the malware stops the process and deletes its payload from the machine (5.exe).
Ever since the rise of Bitcoin, miners have gained popularity in the underground community, becoming one of the best sellers for attackers looking to make an easy profit. In this campaign, attackers continue this trend by distributing an Evasive Monero Miner.
The Evasive Monero Miner is a dropper that drops a version of the infamous, open source XMRig miner based on its original source code. An older version of the Evasive Monero Miner was first submitted to VirusTotal in late 2018, but was not discovered until December 2019 after a massive campaign that infected machines all over the world.
The dropper is packed with Themida, a powerful packer with anti-debug features and a way of packing that intentionally makes it difficult to manually unpack. It uses an Autoit compiled script to unpack and download the XMRig miner. The dropper also uses several evasive techniques it uses to avoid detection, including code injection, file renaming, encoded files, non-executable extensions, and the ability to connect through Tor.
When the Evasive Monero Miner is first executed, it drops several files in the %TEMP% folder:
CL_Debug_Log.txt is the binary for the 7zip executable renamed to hide its activity. It extracts and decodes a 7zip archive named CR_Debug_Log.txt. CR_Debug_Log.txt extracts a 32-bit and 64-bit version of the payload of the miner, 32.exe and 64.exe, into %TEMP%.
After extracting the payload, the dropper deletes the encoded archive CR_Debug_Log.txt and checks if the machine’s architecture is 32-bit or 64-bit. Depending on the results of the check, it copies the relevant binary, renames it helper.exe, and saves it in \AppData\Roaming\Microsoft\Windows.
Cybereason UI: attack tree of the execution of the XMRig Miner Dropper
The dropper also creates an XML file in %TEMP% named SystemCheck.xml along with a scheduled task SystemCheck that runs the XML file every minute.
The XML file is configured to run helper.exe with the argument -SystemCheck:
How Sys5emCheck.xml executes helper.exe.
helper.exe is a compiled Autoit script. The script sets a few variables for the malware configuration, including:
helper.exe decompiled code: the variables setting.
helper.exe contains two embedded binaries built during execution, the first of which is a 7zip binary.
helper.exe decompiled code: 7Zip binary embedded code.
The second is an encoded 7zip archive for a Tor client named Tor.tmp. Tor.tmp is decoded using the embedded password in helper.exe and extracted to \AppData\Roaming\Microsoft\Windows\Tor\.
helper.exe decompiled code: Tor client embedded code.
Cybereason UI: command line used to extract the Tor.tmp archive.
The dropper checks for various antivirus engines on the target machine, as well as if the SmartScreen feature of Windows Defender exists. SmartScreen is used to protect against phishing and various malware websites.
The helper.exe decompiled code: an embedded list of security products.
helper.exe holds four domains encoded in Base64:
helper.exe decompiled code: embedded Base64 encoded domains.
The decoded domains:
The dropper uses the Tor client to connect to one of the decoded domains, combined with the URL paths, and downloads the contents into a file named SysBackup.tmp and the malware version into a file name upd.version to the target machine. Both of these files are created under \AppData\Roaming\Microsoft\Windows\.
helper.exe decompiled code: creating the GET request that downloads the XMRig miner - SysBackup.tmp.
After the file is downloaded, the dropper terminates tor.exe.
Sysbackup.tmp houses a bytes array for the XMRig miner executable.
XMRig file properties.
helper.exe spawns attrib.exe and injects the XMRig miner code into memory.
XMRig code floating in memory of attrib.exe. Taken using Process Hacker.
The dropper executes attrib.exe with a command line that specifies the mining pool and the wallet where the miner will add its resources.
helper.exe decompiled code: building the command line for attrib.exe.
Attackers continue to abuse legitimate online storage platforms for their own gain. By storing malicious payloads on trusted platforms, attackers can bypass security products to exploit the trust given to legitimate online services. In addition, it provides the attackers with another way of reducing the risk of exposure to their C2 server infrastructure through separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.
In some ways, this attack takes persistent revenue to the next level. These attackers infect the target machine with different kinds of malware to get as much sensitive data as possible, alongside miner capabilities and ransomware capabilities. This attack is the epitome of “have your cake and eat it too”, with attackers layering malware for maximum impact.
Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security practitioners must find ways to evolve faster and ensure the security of these trusted resources so we can stay ahead of these threats.
The best way to defend against an attack like this is to use an iterative security process. Learn more in our whitepaper, "Unleashing the true potential of MITRE ATT&CK."
Click here for a full list of the IOCs (PDF).
The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.All Posts by Cybereason Nocturnus