January 6, 2023Rabbi LakshmananCryptocurrency / GitHub

A South African-based threat actor known as Automated Libra has been observed using CAPTCHA bypass techniques to programmatically create GitHub accounts as part of a freejacking campaign called PURPLEURCHIN.

The group “primarily targets cloud platforms that offer limited-time trials of cloud resources to perform cryptocurrency mining operations,” said William Gamazo, a researcher at Unit 42 at Palo Alto Networks. Nathaniel Quist says. Said.

PURPLEURCHIN was first revealed in October 2022, when Sysdig revealed that the attackers created 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale their operations.

According to Unit 42, this cloud threat actor group created 3-5 GitHub accounts every minute during peak activity in November 2022, with over 130,000 total fake accounts across Heroku, Togglebox, and GitHub. has been set.

It is estimated that over 22,000 GitHub accounts were created between September and November 2022, with 3 in September, 1,652 in October, and 20,725 in November. A total of 100,723 unique Heroku accounts were also identified.

Cybersecurity firms have also exploited cloud resources for “play and run,” designed to avoid paying platform vendor bills by leveraging counterfeit or stolen credit cards to create premium accounts. ” called tactics.

After analyzing 250GB of data, we saw the first signs of a cryptocurrency campaign at least 3.5 years ago in August 2019, identifying over 40 wallets and the use of seven different cryptocurrencies.

free jack campaign

The core idea behind PURPLEURCHIN is to leverage the computational resources allocated to free and premium accounts of cloud services for massive financial gains before losing access due to non-payment of membership fees.

As well as automating the account creation process by leveraging legitimate tools such as: xdotools When image magicattackers have also been found to take advantage of vulnerabilities within GitHub’s CAPTCHA checks to further their illegitimate ends.

free jack campaign

This is ImageMagick’s conversion command Convert the CAPTCHA image to RGB complement, followed by identification command extract the skewness of red channel Choose the minimum value.

After successful account creation, Automated Libra will proceed to create a GitHub repository, Deploy workflow This allows you to launch external Bash scripts and containers for starting crypto mining functions.

The findings show how these platforms can weaponize freejack campaigns to maximize revenue by increasing the number of accounts that can be created per minute.

“It is important to note that Automated Libra has designed its infrastructure to take full advantage of CD/CI tools,” the researchers concluded.

“This has become easier to achieve over time as traditional VSPs diversify their service portfolios to include cloud-related services. It’s easier for attackers because they don’t have to maintain a , to deploy the application.”

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog