October 27, 2022

The threat actor behind a malicious campaign called “Purpleurchin” is exploiting free GitHub, Heroku and Buddy services to mine crypto at the provider’s expense.

The malicious campaign, described as automated and large-scale “freejacking,” relies on exploiting the limited resources offered to free-tier cloud accounts to make a tiny profit from each account.

The cryptocurrency chosen by the threat actors is only marginally profitable, and researchers believe that the operation is either in an early experimental phase or trying to take control of blockchains by creating a network control majority of 51%.

The attacker uses CI/CD service providers such as GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts) to carry out over a million function calls daily. Attackers rotate the use of these accounts over 130 Docker Hub images with mining containers. To remain undetected, Purpleurchin disguises the attack process at all operational levels.

Investigating Purpleurchin’s operation, the researchers identified a linuxapp container ‘) as the core of its operation. The container acts as a command-and-control server (C2) and Stratum server that coordinates all active mining agents and directs them to the threat actor’s mining pool.

To automate the creation of GitHub accounts, create a repository, and replicate the workflow using GitHub actions, a shell script (‘userlinux8888’) is used. All GitHub are obfuscated using random strings for the names.

The sources for this piece include an article in BleepingComputer.