South African threat actors known as ‘Automated Libra’ has been improving their techniques to make a profit by using cloud platform resources for cryptocurrency mining.
According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe ‘freejacking’ with the “Play and Run” technique to abuse free cloud resources.
‘Automated Libra’ was first exposed by analysts at Sysdig in October 2022, who named the malicious cluster of activity ‘PurpleUrchin’ and believed the group was devoted to freejacking operations.
Unit 42 has dived deeper into this operation, analyzing over 250 GB of collected data and uncovering a lot more about the threat actor’s infrastructure, history, and techniques.
Overview of Automated Libra
The threat actor runs automated campaigns abusing continuous integration and deployment (CI/CD) service providers, such as GitHub, Heroku, Buddy.works, and Togglebox, to set up new accounts on the platforms and run cryptocurrency miners in containers.
Whereas Sysdig identified 3,200 malicious accounts belonging to ‘PurpleUrchin,’ Unit 42 now reports that the threat actor has created and used over 130,000 accounts on the platforms since August 2019, when the first signs of its activities can be traced.
Additionally, Unit 42 discovered that the threat actor didn’t use containerized components only for mining but also for trading the mined cryptocurrency across various trading platforms, including ExchangeMarket, crex24, Luno, and CRATEX.
New Play and Run tactics
Sysdig noticed that the threat actors engaged in ‘freejacking,’ attempting to exploit whatever available resources are allocated to free accounts, trying to make significant profit by scaling up its operation.
Unit 42 confirms that freejacking is an important aspect of PurpleUrchin’s operations but reports that the “Play and Run” strategy is also heavily implicated.
Play and Run is a term for threat actors using paid resources for profit, in this case, cryptomining, and refusing to pay the bills until their accounts are frozen. At that point, they abandon them and move on.
Typically, PurpleUrchin uses stolen PII and credit card data to create premium accounts on various VPS and CSP platforms, so nobody can trace them when they leave unpaid debts.
“The actor also appeared to reserve a full server or cloud instances and they sometimes used CSP services such as AHPs,” explains the Unit 42 report.
“They did so in order to facilitate hosting web servers that were required to monitor and track their large-scale mining operations.”
In these cases, the threat actor utilizes as many CPU resources as possible before they lose access to it.
This contrasts the tactic followed in the freejacking campaigns, where the miner only uses a tiny part of the server’s CPU power.
GitHub CAPTCHA solving
One notable technique employed by Automated Libra is a CAPTCHA-solving system that helps them create many accounts on GitHub without requiring manual intervention.
The threat actors use ImageMagic’s “convert” tool to convert CAPTCHA images into their RGB equivalents and then use the “identify” tool to extract the Red channel skewness for each image.
The value outputted by the “identify” tool is used for ranking the images in ascending order. Finally, the automated tool uses the table to select the image that tops the list, which is usually the right one.
This system highlights the determination of Automated Libra to achieve higher operational efficiency by increasing the number of accounts per minute they can create on GitHub.