40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger

[harlan4096]

Public source code repository at Bitbucket.org was as abused to host CryptBot, Buer loader with NuclearBot and Cryptominer.

AutoHotkey Downloader

We found the Bitbucket repository via a malicious AutoHotkey downloader[1]. The AutoHotkey script is located in the PE resources with the RCDATA resource type. We used Resource Hacker to access the script (see image below).

The downloader checks IP and location information of the infected system via http://ip-api.com/line/ and puts the result into %TEMP%/ip_.txt. Then it calls two shortened URLs at https://iplogger.org. This URL shortener service provides statistics and location tracking for the shortened links. The site's content is downloaded to %TEMP%/loger.txt and %TEMP%/loger2.txt.

It proceeds to check the country code in ip_.txt and will download PCBoosterSetup.exe[8] for the following country codes: TR, FR, US, DE, GB, HR, HU, RO, PL, IT, PT, ES, CA, DK, AT, NL, AU, AR, NP, SE, BE, NZ, SK, SO, GR, BG

PCBoosterSetup.exe is an installer for PC Booster by Energizer Softech. This software is not malicious, but potentially unwanted. The AutohotKey downloader was submitted by the name setupres.exe to VirusTotal, so it is probably advertised and distributed as PC Booster installer making this a classic trojan horse.

The trojan downloads and executes three files from a public Bitbucket.org repository to %APPDATA%: 1.exe, 3.exe, and 4.exe. Only two of those files were present on Friday evening, 31. January 2020, when we first analysed the trojan.

Lewis Shields' Bitbucket Repository

The Bitbucket repository "new" by the user Lewis Shields contains no source code but three binary files in the downloads section. Two of which are downloaded by the AutohotKey sample[1].

The repository exists since 16. January 2020. The files are renewed every few hours, the intervals are different for each file. We observed renewal of 1.exe and 4.exe approximately every 5 hours, and renewal of 9.exe approximately once a day.

Filename Approximate download rate (observed from 31.Jan.2020 to 3.Feb.2020) Malware family
1.exe 800 downloads per hour Buer loader and NuclearBot
4.exe 2,700 downloads per hour Coinminer loader
9.exe 1,800 downloads per hour CryptBot

That means there are more downloaders that access this repository. We downloaded two sets of samples and identified the malware families.

We contacted technical support of Atlassian on Friday afternoon and notified them about the malware hosting repository. Reporting took a bit of effort because it required registration and the forms weren't suited for security issues. On Sunday an employee at Atlassian contacted me via Twitter because they had seen our tweet. It was due to said employee that the repository was taken down on Monday, 3. February 2020, 67 hours after our report. Given the approximate download rates, more than 355,100 downloads were done during that time frame.
...

Continue Reading