Read Time:1 Minute, 31 Second
Automated Libra, a threat actor based in South Africa, has been seen using CAPTCHA bypass methods to programmatically generate GitHub accounts as part of the PURPLEURCHIN free jacking operation.
According to William Gamazo and Nathaniel Quist, researchers at Palo Alto Networks Unit 42, the organisation “primarily targets cloud platforms offering limited-time trials of cloud resources to perform their crypto mining operations.”
When Sysdig showed that the attacker had expanded its operations by creating up to 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts, PURPLEURCHIN was first identified in October 2022.
At the peak of its activity in November 2022, the cloud threat actor group, according to Unit 42, “put up between three and five GitHub accounts per minute, totalling over 130,000 fictitious accounts across GitHub, Heroku, and Togglebox.”
The cybersecurity firm also referred to the misuse of cloud resources as a “play and run” strategy intended to avoid paying the platform vendor’s invoice by using stolen or fake credit cards to open premium accounts.
Along with revealing more than 40 wallets and seven different cryptocurrencies, its 250GB data analysis dates the first indication of the crypto campaign to August 2019, which is at least 3.5 years ago.
The threat actor has also been identified as exploiting a flaw in the CAPTCHA check on GitHub to accomplish its illegal goals, in addition to automating the account creation process by utilising the right tools like xdotool and ImageMagick.
Once the account has been successfully created, Automated Libra moves on to setting up a GitHub repository and procedures that enable the activation of external Bash scripts and containers to start the crypto mining operations.
Ultimately, the PURPLEURCHIN campaign demonstrates how hackers can exploit weaknesses in CAPTCHA systems and take advantage of open-source repositories to carry out malicious activities.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
