The arsenal of attackers includes data stealers,
Attackers abuse legitimate online storage platforms to bypass security products due to the trust given to legitimate online services. The use of online storage platform also allows attackers to reduce the exposure to their C2 server infrastructure by separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.
The attackers are hosting malware on several Bitbucket accounts, the malicious codes receive frequent updates.
Attackers are using Themida as a p
Most of the tainted crackers observed in this campaign include Azorult and Predator the Thief data stealers.
Experts discovered some Bitbucket repositories linked to each other hosting the same p
“Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples.” continues the report. “Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour. ”
More than 500,000 machines have been infected already compromised, experts observed hundreds of new infections every hour.
Experts noticed that when there is nothing to steal from the infected system, attackers deploy the STOP ransomware to blackmail the victims and maintain persistence.
“Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security p