South African threat actors known as ‘Automated Libra’ has been improving their techniques to make a profit by using cloud platform resources for cryptocurrency mining.
PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.
CAPTCHA Bypass Tactics
Automation designed for developers to build and operate at scale can just as easily be used to scale information security attacks, said Aakash Shah, co-founder and CTO at oak9.
Whereas Sysdig identified 3,200 malicious accounts belonging to ‘PurpleUrchin,’ Unit 42 now reports that the threat actor has created and used over 130,000 accounts on the platforms since August 2019, when the first signs of its activities can be traced.
Additionally, Unit 42 discovered that the threat actor didn’t use containerized components only for mining but also for trading the mined cryptocurrency across various trading platforms, including ExchangeMarket, crex24, Luno, and CRATEX.
Unit 42 also found that some of the automated account creation cases bypassed CAPTCHA images using simple image analysis technique and identified the creation of more than 130,000 user accounts created on cloud.
“It is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools,” the researchers concluded.