Cybersecurity researchers have uncovered a sophisticated malware campaign exploiting Bitbucket, a popular code hosting platform, to deliver dangerous payloads to unsuspecting victims.
The attackers are leveraging Bitbucket’s legitimate reputation to host and distribute various types of malware, including remote access trojans (RATs) and information stealers.
Security firm G DATA recently discovered a multi-stage attack that utilizes Bitbucket repositories to host malicious files, including the notorious AsyncRAT trojan.
With phishing emails containing obfuscated VBScript attachments. When executed, these scripts trigger a chain of events that ultimately leads to the download and execution of AsyncRAT from a Bitbucket repository.”
“The G DATA researchers noted that attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads”.
This approach provides legitimacy and accessibility for distributing the malware, making it less likely to raise suspicion among security solutions.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
Variety Of Malware Hosted On Bitbucket
AsyncRAT is not the only threat being distributed through Bitbucket. Researchers have identified several other malware families abusing the platform, including:
- Predator stealer
- Azorult information stealer
- STOP ransomware
- Cryptocurrency miners
A separate investigation by Cybereason in 2020 found over 500,000 systems infected through a Bitbucket-hosted malware campaign delivering multiple payloads.
The attackers employ various evasion methods to avoid detection:
- Multiple layers of Base64 encoding to obfuscate malicious code
- Anti-virtualization checks to evade analysis in sandboxed environments
- Use of legitimate Windows processes for payload execution
- Frequent updates to malware hosted on Bitbucket repositories
This abuse of Bitbucket highlights the ongoing challenge faced by code hosting platforms in preventing malicious actors from exploiting their services.
While Bitbucket has measures in place to detect and remove malicious content, the frequency of updates and obfuscation techniques used by attackers make this a constant cat-and-mouse game.
Users and organizations should exercise caution when downloading files or scripts from public repositories, even on trusted platforms like Bitbucket.
Implementing robust email filtering, keeping software updated, and using reputable security solutions can help mitigate the risks posed by these types of attacks.
The use of legitimate services like Bitbucket for malware distribution is part of a broader trend in the cybercrime ecosystem.
Attackers continuously seek new ways to bypass security measures and deliver their payloads more effectively. This campaign demonstrates that even well-established platforms can be weaponized by determined threat actors.
Continued vigilance and collaboration between security researchers, platform providers, and end-users remain crucial in combating these evolving threats.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)