More information has become available on "PurpleUrchin," a malicious campaign in which a threat group called Automated Libra is using DevOps and continuous integration/continuous deployment (CI/CD) practices to mine cryptocurrency on cloud platforms using free trial accounts.

The campaign began in August 2019 and has mainly targeted platforms such as GitHub, Heroku, and ToggleBox. Security vendor Sysdig first reported on the campaign last October. This week, Palo Alto Networks' Unit 42 threat hunting team provided fresh insight on the campaign based on a recent analysis of the threat group's activities — and noted that while cryptomining is the game now, the infrastructure could be used to deliver much worse threats down the road.

Unit 42's research showed that Automated Libra has so far created some 180,000 free trial accounts on various cloud platforms — substantially more than Sysdig had initially reported — using an automated container-based approach for spinning them up. At its peak last November, Automated Libra was creating between three and five new accounts on GitHub every minute. Sysdig previously had estimated that the coin-mining activity via free trial accounts was costing GitHub some $100,000 in lost revenue per user account.

A Fully Containerized Operation

Unit 42's analysis showed each individual component of PurpleUrchin's cryptomining operation — from user account creation to coin-mining and trading — shipped within a container and deployed in a highly automated manner. 

An initial container contains all the tools needed for automatic account creation. That container automatically creates new accounts on a targeted cloud provider's platform, while also pulling down tools for creating additional containers with cryptomining components for each of the user accounts.

These additional containers house the individual and unique containerized components of the larger operation, says William Gamazo, principal threat researcher for Unit 42 at Palo Alto Networks. For example, they include containers specific to the accounts created for each targeted cloud provider, containers created for system administration (like panel displays for monitoring the mining operation), and containers created for coin-miners themselves.

The threat actors have implemented each component in the architecture as a container, Gamazo says. "In some cases, the entire process starts with a single script," he notes. That script calls on a configuration file stored in DockerHub, GitHub, or BitBucket for its base operational guidelines, Gamazo tells Dark Reading.

"From here, the process becomes highly dynamic and modular, with the creation of a user account that pulls down a container that will start the mass container generation process — essentially a single container that builds all of the additional containers required to perform the mining operation."

The container functionality for initial account creation on GitHub also includes a feature that allows Automated Libra to bypass CAPTCHA images using relatively straightforward image analysis techniques. The CAPTCHA bypass technique basically reuses publicly available tools, though in some cases the threat actors did perform some custom processing.

"While we didn’t feel the actor was very sophisticated, they were very effective with this tactic," Gamazo notes.

A DevOps Approach to Optimize Resource Utilization

Unit 42 researchers assessed that Automated Libra had adopted the DevOps and CI/CD approaches to optimize its ability to utilize the limited resources available to them under the free trial programs that many cloud vendors offer. 

"We have not directly witnessed other threat actors performing these types of containerized operations," Gamazo says. "However, last year we saw DDoS attack implementations using containers as part of the deployment," he notes pointing to a pro-Ukrainian denial-of-service campaign that CrowdStrike reported on last May that involved compromised Docker honeypots.

To create user accounts for free trials, the threat actors likely used stolen or fake credit cards, Unit 42 said. In some cases, the attackers adopted what the security vendor described as a "play and run" approach where they used a cloud provider's resources for a certain period of time but then disappeared without paying the bill for those services. 

The largest unpaid balance that Unit 42 researchers were able to uncover during their research was just $190. But the unpaid balances in other fake accounts could have been much larger considering the scale and breadth of the PurpleUrchin cryptomining operation, they noted.

Cryptomining Now; Much Worse Later?

Cryptomining attacks — where a threat actor stealthily uses an organization's computing resources to mine for cryptocurrencies — have become extremely common in recent years. A study that Kaspersky conducted last year showed that threat actors mainly distribute malicious mining software via unpatched vulnerabilities. In 2022's third quarter, more than 15% of vulnerability exploits that Kaspersky analyzed involved cryptomining tools. In the same quarter, Kaspersky counted more than 150,000 new miner variants, or more than triple the number from 2021's third quarter.

Nathaniel Quist, manager of cloud threat intelligence at Unit 42, says that in the PurpleUrchin campaign, Automated Libra actors were using free or limited-use cloud services specifically for their CPU resources. But that doesn't mean that they couldn’t have used it for other purposes as well. The actors, for instance, could have used these resources to perform malicious operations targeting victim organizations such as scanning, brute-forcing accounts, or hosting malicious content.

"If this happened, the victim would have been targeted by attacks originating from the trusted cloud service providers where the actors were creating these accounts," he notes.

The key takeaway for enterprise organizations is that threat actors will increasingly use containers for malicious infrastructure deployment in coming years. "Trusted sources such as cloud providers, cloud storage services, and public services hosted on clouds will be leveraged for launching attacks and it will be prevalent and difficult to detect," he says.