|
South African threat actors known as 'Automated Libra' has been refining their tactics to generate a profit by utilizing cloud platform resources for bitcoin mining.
According to Palo Alto Networks Unit 42, the threat actors employ a new CAPTCHA solving system, pursue a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" approach to misuse free cloud resources.
'Automated Libra' was initially identified by analysts at Sysdig in October 2022, who termed the malicious cluster of activity 'PurpleUrchin' and assumed the group was engaged to freejacking activities.
Unit 42 has gone further into this operation, reviewing over 250 GB of acquired data and revealing a lot more about the threat actor's infrastructure, history, and methods.
Overview of Automated Libra
The threat actor performs automated campaigns exploiting continuous integration and deployment (CI/CD) service providers, such as GitHub, Heroku, Buddy.works, and Togglebox, to set up new accounts on the platforms and operate bitcoin miners in containers.
Whereas Sysdig discovered 3,200 fraudulent accounts belonging to 'PurpleUrchin,' Unit 42 now claims that the threat actor has generated and utilized over 130,000 accounts on the platforms since August 2019, when the first evidence of its operations may be found.
Additionally, Unit 42 determined that the threat actor didn't employ containerized components simply for mining but also for selling the mined cryptocurrency across several trading platforms, including ExchangeMarket, crex24, Luno, and CRATEX.
New Play and Run strategies
Sysdig found that the threat actors engaged in 'freejacking,' aiming to exploit whatever available resources are granted to free accounts, hoping to generate large profit by scaling up its operation.
Unit 42 verifies that freejacking is an essential element of PurpleUrchin's activities but states that the "Play and Run" tactic is also highly linked.
Play and Run is a euphemism for threat actors exploiting paid resources for profit, in this example, cryptomining, and refusing to pay the bills until their accounts are suspended. At that time, they discard them and go on.
Typically, PurpleUrchin utilizes stolen PII and credit card data to establish premium accounts on multiple VPS and CSP platforms, so nobody can identify them when they leave outstanding bills.
"The actor also seemed to reserve a whole server or cloud instances and they occasionally utilised CSP services such as AHPs," adds the Unit 42 report.
"They did so in order to simplify hosting web servers that were necessary to monitor and track their large-scale mining activities."
In these circumstances, the threat actor consumes as much CPU resources as possible before they lose access to it.
This contrasts the technique taken in the freejacking efforts, where the miner only utilizes a little fraction of the server's CPU power.
GitHub CAPTCHA solving
One significant approach deployed by Automated Libra is a CAPTCHA-solving mechanism that allows them establish multiple accounts on GitHub without needing user interaction.
The threat actors utilize ImageMagic's "convert" tool to convert CAPTCHA pictures into their RGB counterparts and then use the "identify" tool to extract the Red channel skewness for each image.
|
| CAPTCHA and conversion (Unit 42) |
|
| Command to extract skewness value (top) and image ranking (bottom) (Unit 42) |
The value outputted by the “identify” tool is utilized for ranking the photographs in ascending order. Finally, the automated process utilizes the table to choose the picture that tops the list, which is generally the correct one.
This system illustrates the resolve of Automated Libra to attain improved operational efficiency by increasing the number of accounts per minute they can generate on GitHub.