Public source code repository at Bitbucket.org was as abused to host CryptBot, Buer loader with NuclearBot and Cryptominer.
We found the Bitbucket repository via a malicious AutoHotkey downloader. The AutoHotkey script is located in the PE resources with the RCDATA resource type. We used Resource Hacker to access the script (see image below).
The downloader checks IP and location information of the infected system via http://ip-api.com/line/ and puts the result into %TEMP%/ip_.txt. Then it calls two shortened URLs at https://iplogger.org. This URL shortener service provides statistics and location tracking for the shortened links. The site's content is downloaded to %TEMP%/loger.txt and %TEMP%/loger2.txt.
It proceeds to check the country code in ip_.txt and will download PCBoosterSetup.exe for the following country codes: TR, FR, US, DE, GB, HR, HU, RO, PL, IT, PT, ES, CA, DK, AT, NL, AU, AR, NP, SE, BE, NZ, SK, SO, GR, BG
PCBoosterSetup.exe is an installer for PC Booster by Energizer Softech. This software is not malicious, but potentially unwanted. The AutohotKey downloader was submitted by the name setupres.exe to VirusTotal, so it is probably advertised and distributed as PC Booster installer making this a classic trojan horse.
The trojan downloads and executes three files from a public Bitbucket.org repository to %APPDATA%: 1.exe, 3.exe, and 4.exe. Only two of those files were present on Friday evening, 31. January 2020, when we first analysed the trojan.
The Bitbucket repository "new" by the user Lewis Shields contains no source code but three binary files in the downloads section. Two of which are downloaded by the AutohotKey sample.
The repository exists since 16. January 2020. The files are renewed every few hours, the intervals are different for each file. We observed renewal of 1.exe and 4.exe approximately every 5 hours, and renewal of 9.exe approximately once a day.
|Filename||Approximate download rate (observed from 31.Jan.2020 to 3.Feb.2020)||Malware family|
|1.exe||800 downloads per hour||Buer loader and NuclearBot|
|4.exe||2,700 downloads per hour||Coinminer loader|
|9.exe||1,800 downloads per hour||CryptBot|
That means there are more downloaders that access this repository. We downloaded two sets of samples and identified the malware families.
We contacted technical support of Atlassian on Friday afternoon and notified them about the malware hosting repository. Reporting took a bit of effort because it required registration and the forms weren't suited for security issues. On Monday morning an employee at Atlassian contacted me via Twitter because they had seen our tweet. It was due to said employee that the repository was taken down on Monday, 3. February 2020, 67 hours after our report. Given the approximate download rates, more than 355,100 downloads were done during that time frame.
All Lewis Shields' samples are packed with Themida. We identified the samples named "1.exe" as Buer loader with NuclearBot aka TinyNuke. It creates a file in C:\ProgramData\UBlockPlugin\plugin.exe and executes it. The process tree of VMRay shows process injection via CreateRemoteThread from plugin.exe into secinit.exe.
NuclearBot is classified as banking trojan. According to Malpedia criminals put up the malware for sale for 25000 USD in 2016. Its source code was published on Github in the meantime and the author of NuclearBot has been arrested in 2019.
The samples named "9.exe" are infostealer which were identified as CryptBot by @benkow_@StopMalvertisin and @James_inthe_box in this Twitter thread. CryptBot made news on Bleepingcomputer in December 2019 for being installed via a fake VPN site. Among others it steals credentials for browsers, crypto currency wallets, browser cookies, and creates screenshots of the infected system. @benkow_ also told us that CryptBot provides access to a statistics panel for guests to check infected systems worldwide (see image below).
Using that panel we can check stats for certain countries during the time frame the repository was still up. Below is the top 15.
|Nr||Country||Number of infected systems|
The sum of entries in that time frime amounts to 41,620, which is 627 entries per hour. The download rate of CryptBot samples in LewisShields' repository on the other hand was about 1,800 per hour. So we know that at least two thirds of those downloads do not lead to an infection. It is very likely that other CryptBot hosts are used, which makes the rate of downloads not leading to infection higher than that. Those non-infective downloads may stem from automated analysis systems or they are due to Antivirus products which didn't stop the downloader but the CryptoBot sample from executing.
Given the number of ca 355,100 malware downloads for the time frame from reporting to take down of the repository, we can see that early reaction times are crucial. This includes easy access with tailored forms to contact support for security related issues. It also includes having security savvy employees to recognize the importance of the issue and respond to the situation in time. In this case it was due to Twitter and an observant employee that the malware hosting repo was taken down 67 hours after report.
| Autohotkey Downloader||setupres.exe||7d1c47f69805ec4009c0620dadbddeff7a1eaa98eb5a296fbc6ba4cd479c706b|
| Buer, NuclearBot||1.exe||6e713cf82173de60a69dc7ed84d3b006aeb35e8058553155eee674452e1e2017|
| Buer, NuclearBot||1.exe||b68ee1ba36aa100a393710bc06142a742d7e59d62b8204ec4991625467c189b2|
| Coinminer loader||4.exe||c215fdd20f2cda8177c79e7b4b5f0d97ed5dd858e3376f5746dfc99c475329b1|
| Coinminer loader||4.exe||fd60c32090c2171e6fa227e2bc29f72a1c28555f62ea2f01a334fa72af87ab00|
| PC Booster Installer by Energizer Softech||PCBoosterSetup.exe||636a31559c9a532a8ada119380129f9362f6c68b3456228766b3672ae3d676d8|