A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN.
The group “primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said.
PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.
Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub.
More than 22,000 GitHub accounts are estimated to have been created between September and November 2022: three in September, 1,652 in October, and 20,725 in November. A total of 100,723 unique Heroku accounts have also been identified.
The cybersecurity company also termed the abuse of cloud resources as a “play and run” tactic designed to avoid paying the platform vendor’s bill by making use of falsified or stolen credit cards to create premium accounts.
Its analysis of 250GB of data puts the earliest sign of the crypto campaign at least nearly 3.5 years ago in August 2019, in addition to uncovering the use of more than 40 wallets and seven different cryptocurrencies.
The core idea that undergirds PURPLEURCHIN is the exploitation of computational resources allocated to free and premium accounts on cloud services in order to reap monetary profits on a massive scale before losing access for non-payment of dues.
Besides automating the account creation process by leveraging legitimate tools like xdotool and ImageMagick, the threat actor has also been found to take advantage of weakness within the CAPTCHA check on GitHub to further its illicit objectives.
This is accomplished by using ImageMagick’s convert command to transform the CAPTCHA images to their RGB complements, followed by using the identify command to extract the skewness of the red channel and selecting the smallest value.
Once the account creation is successful, Automated Libra proceeds to create a GitHub repository and deploys workflows that make it possible to launch external Bash scripts and containers for initiating the crypto mining functions.
The findings illustrate how the freejacking campaign can be weaponized to maximize returns by increasing the number of accounts that can be created per minute on these platforms.
“It is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools,” the researchers concluded.
“This is getting easier to achieve over time, as the traditional VSPs are diversifying their service portfolios to include cloud-related services. The availability of these cloud-related services makes it easier for threat actors, because they don’t have to maintain infrastructure to deploy their applications.”