In a massive campaign of ‘freejacking’, threat actors are illicitly exploiting free online services – such as Github, Heroku and Buddy — in order to conduct cryptocurrency mining. The threat actor in this campaign is known as Purpleurchin, and has been observed performing millions of function calls every day using hundreds to thousands of free accounts for each service.
The threat actor automates the creation of accounts, the set-up of a unique VPN IP Address for each account created to evade detection, and creation of GitHub workflows. Afterwards, an automation script launches 30 instances of docker images containing cryptomining software for each action in the GitHub workflow.
The miner appears to be mining cryptocurrency from various pools, including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. It also uses Stratum, a custom mining protocol relay, to obfuscate mining network activity.