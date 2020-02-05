Hijacked botnet: someone is working on the Phorpiex malware

Someone removes Phorpiex malware from infected PCs and asks users to install an antivirus

Bitbucket is the newest legitimate hosting provider that is being abused by cyber criminals to spread malware.

In a campaign unveiled by Cybereason researchers Lior Rochberger and Assaf Dahan on Wednesday, threat actors are actively delivering an “unprecedented number of types of malware” in a new international attack wave.

All malware is hosted on Bitbucket. When legitimate hosting services are abused – including Google Drive, GitHub and Dropbox – it is usually a quick matter to let users make notifications and delete malicious files, but in this case, the cyber security company says a range of user profiles are used and updated regularly, sometimes as often as every hour, to prevent disturbance of criminal activities.

According to the report, more than 500,000 machines have been infected with malware used in this campaign so far – and the attacks show no signs of stopping.

The malware families used have been expanded. The first is Predator, a malware variant that steals information, first observed by Fortinet in 2018 after making rounds on Russian underground forums. Predator, written in C / C ++, is able to steal data, including system information and browser references, endanger web cameras and replace cryptocurrency wallet addresses in the buffer. The malware has recently been rewritten to become fileless.

Azorult is the next one. This malware strain was first discovered in 2016 and is another information stealer that can also establish a Remote Desktop Protocol (RDP) connection through hidden administrator accounts on infected machines. Azorult is often distributed via the Fallout exploit kit.

A dropper is also used. Known as the Evasive Monero Miner, the dropper is used to deploy an XMRig cryptocurrency miner who “uses advanced evasion techniques to mine Monero and stay under the radar,” the team said.

Ransomware, a particularly disruptive form of malware that recently reached the news after Travelex was stopped for weeks, also appears in the arsenal of cyber attacks. The form they chose to use is called STOP, reportedly between $ 300 and $ 600 for victims. Cybereason says that STOP can also download additional malware payloads.

If this wasn’t enough, now Vidar, C ++ is introducing spyware that is able to search compromised machines for certain files to steal, grab browser cookie IDs and history, mess with cryptocurrency portfolios, screen shots and possibly intercept 2FA protections, among other functions. IntelRapid is also linked to the campaign, a cryptocurrency stealer that can compromise various forms of wallet.

The Amadey bone is also present; but unlike some of the other mentioned malware variants, it is a simple Trojan bot that is used for target machine exploration. RigEK and Fallout exploit kits have distributed Amadey in the past.

Themida and CypherIT Autoit are used as packers in an attempt to prevent detection or analysis.

The infection vector starts with phishing emails that have been improved through social engineering or the download of cracked software.

Attribution is, as in many cases, a difficult proposal, but the team continues to actively follow the operators. Cybereason contacted Bitbucket with the company’s findings and the company is investigating this. Assaf Dahan, senior director of Cybereason threat hunt, told ZDNet that the files have been deleted for the time being.

“Attackers continue to abuse legitimate online storage platforms for their own gain. With immediate parallels to the benefits of living binaries, legitimate applications are an easy, trusted way for attackers to access and distribute malware within an organization,” the researchers say. “These attackers infect the target machine with seven different types of malware to get as much sensitive data as possible, in addition to mining capabilities and ransomware capabilities. This attack is the pinnacle of” you have cake and eat it too, “with attackers putting malware on for maximum impact. “

