Go to listing page

Automated Libra Group Adopts New Tricks For Long Running Campaign

Automated Libra Group Adopts New Tricks For Long Running Campaign
Last October, a group of threat actors launched the PurpleUrchin cryptomining campaign, using compromised accounts on GitHub, Heroku, and Buddy.works. However, a recent analysis of 250 GB of data related to this operation, by researchers at Palo Alto, revealed that the campaign was far more widespread than initially thought.

What happened?

The South African freejacking group Automated Libra is suspected to be behind the campaign that involves abusing CI/CD service providers.
  • It used them to set up new accounts on the platforms and run cryptocurrency miners in containers.
  • Containerized components were used for trading the mined cryptocurrency across various trading platforms, including ExchangeMarket, Crex24, Luno, and CRATEX.
  • Notably, the group utilized as much CPU time as possible before losing access to resources, unlike other freejacking campaigns, where the miner only uses a tiny part of the server's CPU power.

CAPTCHA bypass + Play and Run strategy

The group has been evolving its capabilities with CAPTCHA bypass and Play and Run techniques to abuse free cloud resources.
  • Automated Libra uses two tools from the ImageMagick tool kit, which are used to bypass or resolve the CAPTCHA presented by GitHub during account creation.
  • It has heavily implicated Play and Run strategy with falsified or potentially stolen credit cards.
  • Experts estimate that the cloud platform vendor’s resource bill could have been much larger due to the scale and breadth of the mining operation.

Account creation statics

  • Since August 2019, the group has created and used over 130,000 accounts on the platforms.
  • Since 2021, it has created a total of 100,723 unique accounts on the Heroku platform.
  • During its peak in November 2022, it created three to five GitHub accounts every minute, which indicates it made around 20,000 GitHub accounts in a month.

Conclusion

Automated Libra has accomplished itself as a major threat with the success and significance of the Purplechin campaign. With several user accounts on cloud platforms and automated cryptomining operations, the group could cause a lot more damage than previously estimated. The safety of public cloud resources has always been a major concern with constantly changing and evolving threats. Users are suggested to apply an effective multi-cloud security strategy to secure their public cloud footprint.
Cyware Publisher

Publisher

Cyware