The Hole In The Bucket: Attackers Abuse BitBucket to Deliver an Arsenal of Malware


The Hole In The Bucket: Attackers Abuse BitBucket to Deliver an Arsenal of Malware (Feb 5, 2020)

Threat actors are using the code hosting service Bitbucket to store several malware types. The method has led to more than 500,000 victims, according to Cyberreason researchers. This type of technique has been seen before by actors who have used services such as DropBox, Github and Google Drive for storing malicious code. An organization's network defences are less likely to be concerned about known legitimate services, so the method is used to help the attack seem less suspicious. Some of the payloads installed on victim systems include infostealers (Predator the Thief, Azorult, Vidar), cryptocurrency miners and stealers (Monero Miner, IntelRapid), ransomware (STOP) and a reconnaissance bot (Amadey bot).

Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, individuals should be aware of how financial companies communicate and if an email seems unusual, a user should visit the official website of said company and make an inquiry before opening any email attachment. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Legitimate tools are increasingly used by threat actors, especially advanced threat actors, as it allows them to remain undetected. Organizations would be better protected by only allowing a select few employees access to these tools, or invest in technology that detects anomalous and unusual behaviour on the end point.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.