South African hackers known as "Automated Libra" are refining their methods to make a profit by using cloud platform resources for cryptocurrency mining.
According to Palo Alto Networks Unit 42, the attackers are using a new CAPTCHA solution system, using CPU resources more aggressively for mining, and mixing "freejacking" with "play and run" methods to abuse free cloud resources.
"Automated Libra" was first discovered by Sysdig analysts in October 2022, who named the malware activity cluster "PurpleUrchin" and believed the group was engaged in hacking operations.
Unit 42 delved deeper into this operation, analyzing more than 250 GB of collected data on the dark web and revealing much more information about the attacker's infrastructure, history, and methods.
The attacker launches automated campaigns by abusing Continuous Integration and Deployment (CI/CD) service providers such as GitHub, Heroku, Buddy.works, and Togglebox to create new accounts on the platforms and launch cryptocurrency miners in containers. While Sysdig identified 3,200 malicious accounts belonging to "PurpleUrchin", Unit 42 now reports that the attacker has created and used more than 130,000 accounts on the platforms since August 2019, when the first signs of its activity can be traced.
In addition, Unit 42 discovered that the attacker used container components not only for mining, but also for trading the mined cryptocurrency on various trading platforms, including ExchangeMarket, crex24, Luno and CRATEX.
Sysdig noticed that the attackers were engaged in "freejacking", trying to use any available resources allocated to free accounts, in an attempt to make significant profits by expanding their activities. Division 42 confirms that freejacking is an important aspect of PurpleUrchin's operations, but reports that the "Play and Run" strategy is also of great importance.
“Play and run” is a term for attackers who use paid resources for profit, in this case cryptocurrency mining, and refuse to pay bills until their accounts are frozen. At this point, they give them up and move on.
Typically, PurpleUrchin uses stolen PII and credit card details to create premium accounts on various VPS and CSP platforms so no one can trace them when they leave unpaid debts.
“It appears that the actor also reserved full server or cloud instances, and sometimes they used CSP services such as AHP,” Unit 42’s report explains. "They did this to make it easier to host web servers that were needed to monitor and track their large-scale mining operations."
In these cases, the attacker uses as much of the CPU as possible before losing access to it. This is in contrast to the tactics used in hacking campaigns where the miner uses only a tiny fraction of the server's CPU power.
One notable technique used by Automated Libra is the CAPTCHA solving system, which helps them create multiple accounts on GitHub without requiring manual intervention. The attackers use ImageMagic's "convert" tool to convert CAPTCHA images to their RGB equivalents, and then use the "identify" tool to extract the red channel skewness for each image.
The value returned by the "identify" tool is used to rank the images in ascending order. Finally, the automated tool uses a table to select the image that tops the list, which is usually the correct one.
This system highlights Automated Libra's determination to achieve higher operational efficiency by increasing the number of accounts per minute they can create on GitHub.