Researchers from Unit 42 analyze Automated Libra, the group of cloud threat actors responsible for PurpleUrchin, the freejacking campaign.
It is been observed that Automated Libra has been refining its methods to profit from cloud platform resources used for cryptocurrency mining.
Threat actors abuse free cloud resources by using a new CAPTCHA-solving technique, more aggressive CPU resource utilization for mining, and a mix of “freejacking” and the “Play and Run” method.
PURPLEURCHIN was initially identified in October 2022 when Sysdig disclosed that the attackers scaled their operations by opening 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts.
“We collected more than 250 GB of container data created for the PurpleUrchin operation and discovered that the threat actors behind this campaign were creating three to five GitHub accounts every minute during the peak of their operations in November 2022”, Unit 42 reports.
Play and Run Tactics
Reports say PurpleUrchin threat actors used Play and Run strategies, consuming cloud resources while avoiding paying the cloud platform vendor’s bill for such resources.
Actors from PurpleUrchin carried out these Play and Run activities by setting up and using fake accounts and using fake or perhaps stolen payment cards. These fake accounts had an outstanding balance. $190 USD was one of the greatest outstanding balances discovered.
“We suspect the unpaid balances in other fake accounts and cloud services used by the actors could have been much larger due to the scale and breadth of the mining operation”, researchers
The Specifics of Automated Libra
The threat actor uses automated campaigns to create new accounts on the platforms and run cryptocurrency miners in containers by abusing continuous integration and deployment (CI/CD) service providers like GitHub, Heroku, Buddy.works, and Togglebox.
Unit 42 found that the threat actor traded the cryptocurrency they had mined on a variety of trading platforms, including ExchangeMarket, crex24, Luno, and CRATEX, as well as using containerized components for mining.
Mining with GitHub Workflows
Researchers say due to its easier account setup process, GitHub was most likely used by the actors. The actors were able to take advantage of a flaw in the GitHub CAPTCHA check.
Notably, after engaging in a Play and Run strategy where each account would demand computing resources, threat actors finally failed to pay their bills for each of the GitHub accounts.
PurpleUrchin generated more than 130,000 accounts across numerous virtual private server (VPS) providers and cloud service providers, suggesting that this is a typical operating practice for them (CSPs).
The threat actors transform CAPTCHA images into their RGB equivalents using ImageMagic’s “convert” tool and then use the “identify” tool to determine each image’s Red channel skewness.
The “identify” tool’s output value is used to rank the photos in ascending order. The automated tool uses the table to select the image that tops the list, which is usually the right one.
This system demonstrates Automated Libra’s commitment to enhancing operational effectiveness by raising the number of GitHub accounts they can create each minute.
“It is important to note that Automated Libra has designed its infrastructure to take full advantage of CD/CI tools,” the researchers concluded.
“This has become easier to achieve over time as traditional VSPs diversify their service portfolios to include cloud-related services. It’s easier for attackers because they don’t need it to deploy the application.”
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book