Cybereason’s Nocturnus research team has identified a malware distribution campaign that aims to deliver multiple malware variants via the cloud storage platform BitBucket. The researchers believe more than 500,000 computers have already been infected, with hundreds more infections occurring every hour.
Victims are infected with several malware variants including the Azorult backdoor and information stealer, STOP ransomware, the IntelRapid cryptocurrency stealer, the Evasive Monero miner, the Vidar and Predator information stealers, and the Amadey bot.
These malware variants give the attackers many possibilities. They can steal browser passwords, cookies, system information, email client data, MFA software data, cryptocurrencies, and they can mine cryptocurrency, control the camera, take screenshots, and encrypt files when they have achieved their other aims.
To convince users to visit BitBucket and download the malware, the attackers advertise free, cracked software such as Microsoft Office and Photoshop. The package is delivered as a zip file, which contains two of the malware payloads: Azorult and Predator. These malware variants get to work quickly. Azorult steal information and send it back to the attackers C2 server before deleting itself, while Predator downloads the other malware payloads. This is achieved through a secondary downloader that is downloaded by Predator. One of the first payloads to be downloaded and executed is Azorult, but this time an encoded version in certificate form.
The legitimate Windows tool, certutil.exe, is used to decode Azorult. Azorult then searchers for cryptowallets and other sensitive data, which is then sent back to the attacker’s C2 before Azorult deletes itself once again. The Evasive Monero miner is downloaded and used to download the XMRig Miner, which runs in the memory.
Once all sensitive data has been found and exfiltrated, STOP ransomware is executed. The ransomware first checks to make sure it is not being run in a virtual environment, then creates a folder in %AppData%, copies its binaries into that folder, changes the access control to the binary to make sure it cannot be accessed, then creates a registry key and scheduled task to execute the ransomware every five minutes.
This campaign has been designed to gather as much sensitive data as possible and maximize the potential for profit and is one of many campaigns that use legitimate cloud storage platforms to distribute malware. The arsenal of malware delivered in these attacks makes them extremely damaging for victims.