Researchers from Cybereason have discovered seven types of malware threats being hosted on the code hosting service Bitbucket. Cybercriminals use legitimate hosting services hoping to look less suspicious and infect more systems. They trick unsuspecting victims into downloading these viruses by promising free versions of popular programs such as Adobe Photoshop, Microsoft Office and others. The research shows that there are, as of the time of the article, over 500,000 downloads of the virus packages. The seven payloads are:
- Predator: information stealer, focuses on credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets
- Azorult: information stealer with backdoor capabilities that pilfers passwords, email logins, cookies, browser history, IDs, and cryptocurrencies
- Evasive Monero Miner: dropper for a multi-stage XMRig miner for Monero cryptocurrency that integrates evasion techniques
- STOP Ransomware: ransomware based on open-source code; it also acts as a malware dropper for other threats
- Vidar: information stealer that targets browser cookies and history, digital wallets, and two-factor authentication data; it can take screenshots
- Amadey bot: a simple trojan bot mainly used for reconnaissance
Analyst Notes
It is not uncommon to look like free or discounted versions of popular software. The primary method of defense from malicious payloads like this is to simply download the authentic, real program from the author of the program. Binary Defense analysts have observed recent malware attacks that use trusted hosting providers such as Google Drive to deliver malware from an IP address that is not suspicious and won’t be blocked by network defenses. When an information stealer such as Predator, Azorult or Vidar has infected a computer, it is important to reset passwords for email accounts and any services that were saved in the browser. It is better to not save any passwords to web browser storage—save passwords in a dedicated password manager program. It is also recommended to employ a service such as the Binary Defense Security Operations Center that can monitor an organization’s endpoints and defend from malicious software before they can do damage.
For more information: https://www.bleepingcomputer.com/news/security/bitbucket-abused-to-infect-500-000-hosts-with-malware-cocktail/
