The face value of digital currencies is fluctuating, however, cryptojacking attacks persistently target crypto firms and users. Researchers took the wraps off of a campaign, dubbed Purpleurchin, leveraging several public cloud platforms at once to launch an automated and massive cryptomining campaign.
Using free account trials
Purpleurchin abuses free trial accounts on continuous integration and continuous delivery CI/CD service providers such as GitHub, Heroku, and Buddy.Works, according to a report by Sysdig researchers.
It is leveraging hacker-created user accounts on GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts).
These accounts are leveraged by Purpleurchin to perform over a million function calls daily. These accounts are rotated and channeled through 130 Docker Hub images with mining containers.
The campaign uses OpenVPN and Namecheap VPN to create large numbers of accounts with different IP addresses to evade GitHub's bot activity detection.
Digging deeper
This small-level campaign with high obfuscation and automation on all operational levels has managed to evade detection so far.
The operation is using a linuxapp container, shell scripts, mining containers, and docker containers. In addition, it leverages several tools such as XDOTOOL, Wit, and Buster, to perform various functions such as bypassing defensive mechanisms.
The campaign stealthily mines a range of crypto coins such as Yenten, Tidecoin, Sprint, Onyx, Surgarchain, Arionum, MintMe, and Bitweb.
A custom Stratum relay runs for various coins and wallets, which hampers the network scanners' ability to discover the outbound connections to mining pools and obscure the threat actor's crypto wallet address.
The damage estimation
The damage per account per month is estimated to be $15 for GitHub, and between $7 and $10 for Heroku and Buddy, which is significant. Overall, it has been identified that this campaign causes a loss of around $100,000 for service providers to mine one Monero, which is about ten times higher than the harm (around $11,000) caused by normal cryptojacking operations in terms of resource usage.
Closing lines
It is suspected that with the success of this small and profitable campaign, Purplechin could soon switch to more profitable coins such as Monero or Bitcoin. Moreover, the hackers could potentially attempt to steal millions of dollars worth of cryptocurrency by creating a network control majority of 51% on these small platforms. De-Fi protocols must watch out for such threats!