Three of the most used cloud development platforms, GitHub, Heroku, and Buddy Works, have been abused by a threat group called ‘Purpleurchin’ for cryptomining campaigns. In this campaign, the threat actors rely on the limited resources provided by the cloud dev platforms to gain income from each free account, generating large amounts when combined.
Over a million function calls daily have been observed performed by the Purpleurchin hackers, using the CI/CD platforms GitHub with 300 accounts, Heroku with 2,000 accounts, and Buddy Works with 900 accounts.
The free accounts on the cloud dev platforms used by the hackers were rotated through 130 Docker Hub images with mining containers.
Purpleurchin used a linuxapp container in their operation as C2 and Stratum servers, which coordinates all active cryptomining agents and directs them to the group’s mining pool. Then, the group used a shell script to automate the GitHub accounts creation, repository creation, and workflow replication using GitHub actions.
Researchers explained that the GitHub actions launch about 30 Docker images per run that use pre-set arguments for the script execution, proxy IP and port connection, Stratum ID name, and maximum memory and CPU amounts. A separate script will validate the Stratum server configuration, receive the GitHub repository’s Docker command, and start the miner container.
The miner will utilise a portion of the CPU’s power to mine various cryptocurrencies, including Onyx, Sprint, Arionum, Tidecoin, Sugarchain, Yenten, MintMe, and Bitweb. A Stratum mining protocol relay obstructs network scanners to obscure its activities and hide the threat group’s wallet address.
In evading GitHub’s bot activity detection, the threat group used OpenVPN and Namecheap VPN to register each free account with a different IP address.
Researchers presume that the cryptomining campaign is in its early experimental stage since the selected cryptocurrencies mined are marginally profitable. Moreover, the threat group could also be attempting to take control of blockchains by creating a majority network control of about 51%.
Meanwhile, the campaign’s damage on the cloud dev platforms is deemed significant and measurable, with GitHub having $15 monthly damage per account and $7 to $10 per month for Heroku and Buddy Works.
