500,000 victims pummeled in multi-stage BitBucket malware scheme

The number of malware types deployed is "unprecedented," according to Cybereason.

An ongoing campaign from an unidentified threat actor has been deploying seven different kinds of malware — including ransomware — at once against an estimated 500,000 targets over the past couple of months to steal as much money as possible, according to new research from Cybereason.

The different kinds of malware deployed from just this one actor — which allows them to steal sensitive browser data, cookies, system information, two-factor authentication token information to bypass 2FA, and cryptocurrency from digital wallets — is “unprecedented,” Lior Rochberger, a security analyst at Cybereason, and Assaf Dahan, the head of threat research at Cybereason. The two released their findings on Wednesday.

“The combination of so many different types of malware exfiltrating so many different types of data can leave organizations unworkable,” Rochberger and Dahan write. “This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.”

The attackers make their scheme work by exploiting code repository platform BitBucket to store and disperse the malware, according to Cybereason.


“[It’s] an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and BitBucket to distribute commodity malware,” Rochberger and Dahan write in the blog post.

The campaign is relatively new — it popped up on Cybereason’s telemetry in December of last year, Dahan told CyberScoop. But the ultimate goal of the effort appears to be for money.

“The attackers aren’t satisfied with one payload, they want to use multiple to maximize their revenue,” the researchers write.

The attackers are running their scheme by targeting people scouring the internet for free commercial products, such as Adobe Photoshop. The threat actors will package them with multiple strains of malware, such as Azorult, which steals information and deletes its binary to erase traces of an infection.

“Legitimate applications are an easy, trusted way for attackers to gain entry and spread malware within an organization,” the researchers write.


Shortly after Azorult starts pilfering off information, Predator the Thief malware steals passwords from browsers, takes pictures and screenshots of the victims’ machines, and steals cryptocurrency out of digital wallets. The Thief malware can then connect with BitBucket to download more payloads, including STOP Ransomware, a Monero miner, and Vidar, which can steal web browser history, digital wallets, two-factor authentication tokens, and screenshots.

And although the researchers have ascertained what malware the attackers are using, Dahan told CyberScoop it’s not entirely clear who is behind the thievery.

“It’s hard to estimate who is the threat actor behind this campaign, because all the malware observed in the campaign fall under what we call ‘commodity’ malware. That means that almost anyone can buy them in the underground communities,” Dahan said.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts