Home » Cryptocurrency miners scour GitHub, Heroku • The Register

Cryptocurrency miners scour GitHub, Heroku • The Register

by admin

A covert cryptocurrency mining operation was discovered using thousands of free accounts from GitHub, Heroku, and other DevOps organizations to create digital tokens. For example, GitHub prohibits coin mining using cloud resources.

The Sysdig Threat Research Team said at this week’s Kubecon that they discovered an activity called Purpleurchin. Specifically, over 30 GitHub, 2,000 Heroku, and 900 Buddy Devops accounts, as well as accounts from other cloud and continuous integration and deployment (CI/CD) service providers, participate in Purpleurchin’s cryptocurrency generation operations. Researchers have discovered that it is being abused to quietly enhance the

Scrutinizing cloud computing resources to mine coins is not a new tactic and is usually against the terms of service, but the people behind this particular effort have used a number of advanced automation and obfuscation techniques. We said we were hired.

Sysdig notes that each of these 30 free GitHub accounts will cost the Microsoft-owned giant $15 per month, while free-tier accounts like Heroku, Buddy, etc. will cost providers between $7-10 per month. I estimate that it will take “At this rate, a threat actor would cost a provider more than his $100,000 to mine one of his Monero (XMR),” said Sysdig researcher Crystal Morin. said. claimed1 XMR is currently worth $146.

Of course, service providers don’t simply incur unnecessary costs. They hand them over to a paying customer. This means that the overall price of cloud computing will increase.

In addition, illegal mining operations that devour computing resources can also impact the performance of applications for paying customers, making this malicious activity twice as expensive for businesses using these cloud services. will be required.

Morin suggested that Purpleurchin may be after the coin, but the cryptocurrencies the gang is currently mining (Tidecoin Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe and Bitweb) have seen profit margins Low is worth noting.

“We can say with moderate confidence that the attackers are experimenting with different coins,” Morin added. As such, criminals may see this as a “low-risk, low-reward test” before moving on to Monero or Bitcoin, which are more valuable but more closely monitored by law enforcement.

It is also possible that Purpleurchin is using its mining operations to attack the underlying blockchain and prepare to carry out a large-scale heist. steal millions Dollar equivalent cryptocurrency.

“This large-scale operation could serve as a decoy for other malicious activity,” Morin said. APT32‘s previous cryptomining operations gave cyber spies persistent access to networks for espionage.

How Purpleurchin evades detection

First, the criminal gang uses over 130 Docker Hub images, but only 2-6 images can receive updates at a time, potentially preventing Docker Hub from blocking or scanning their activity.

Additionally, each GitHub repository is created and used in 1-2 days. “We also witnessed some of the repositories that were generating actions disappear,” says Morin. “This could be that GitHub deleted the account maliciously, or an attacker deleted the account because the free tier account limit was reached.”

Additionally, the linuxapp container, which acts as a command and control container and stratum relay server to receive connections from mining agents, runs No Dev-Fee Stratum Proxy, an open-source stratum proxy software that avoids proxy fees.

To automate the workflow, Purpleurchin creates GitHub accounts and repositories and runs shell scripts. The shell script runs GitHub Actions to perform mining operations and attempts to spoof these operations by naming them with random strings.

In Sysdig’s technical analysis, the script calls the nodejs file index.js to launch a Tidecoin miner that uses a CPU-based mining algorithm called yespower. This is said to be noteworthy as miners typically use XMRigs downloaded directly from GitHub. Also, these are low yielding coins that are mined.

“Our theory here is that threat actors are selecting these coins based on the yespower algorithm, which means the mining process is spawned from a nodejs parent and helps evade detection. from,” writes Morin.

Purpleurchin also discovered a way to circumvent the bot protections that service providers use to prevent fraudulent creation of automated accounts. These include using OpenVPN to ensure different IP addresses for each account, the Brave web browser for registration, and a Python package called Wit for speech recognition of .wav audio files. Yes I am a human test.

While the robots do all the work, the people behind Purpleurchin are earning coins, albeit very slowly, at least for the time being. And the rest of us are left on the bill. ®

Related Posts

Leave a Comment