Security

Researchers reckon 500k PCs infested with malware after dodgy downloads install even more nasties from Bitbucket

That 'free' Adobe or Microsoft software isn't all it's cracked up to be, eh?


We don't know who needs to hear this, but don't download cracked commercial software. Researchers claim more than 500,000 PCs have been left wriggling with malware after a cracked app went on to retrieve further nasties from Bitbucket repos.

Security company Cybereason has studied a campaign to deliver "an arsenal of malware" including credential stealers, cryptocurrency miners, ransomware and crypto-coin pinchers.

"It is also able to take pictures using the camera [and] take screenshots," wrote researchers Lior Rochberger and Assaf Dahan.

How this stuff was managed and coordinated without bringing the user's machine to a standstill is not specifically mentioned, but the duo added that "the combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable".

Users generally start their journey to hell, according to the paper, by "downloading a cracked version of commercial software like Adobe Photoshop, Microsoft Office, and others". There is an insatiable appetite for free versions of expensive software, it seems, and search engines are happy to help. We searched Bing for "Download Adobe" and right at the top of the page were videos with guides to illegal downloads; no, we did not test these for malware but it would not be surprising if they came with some unwanted extras.

How malware proliferates by downloading from Bitbucket repositories (click to enlarge)

Rochberger and Dahan reckon that some such downloads create a connection to Bitbucket repositories to install "additional payloads". Bitbucket is a code-management platform from Atlassian. There is no suggestion that Bitbucket itself has any specific vulnerabilities, but the claim is that serving malware from legitimate sites such as this – or others like Github, Dropbox and Google Drive – makes it harder for security software to detect. In addition, the researchers said the repositories are "updated almost constantly by the threat actor" in order to evade antivirus signature lists.

As is common, there is a marketing element to the report, with the researchers recommending an "iterative security process" to defend against this kind of attack.

Despite the researchers' "Hole in the bucket" headline, the real story here is the risks inherent in users trying to get commercial software for free. Atlassian was quick to remove the malicious repositories reported to them, but the scale of services like this is such that preventing further occurrences is likely to be unrealistic. ®

Send us news
27 Comments

ChatGPT side-channel attack has easy fix: Token obfuscation

Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

UK council won't say whether two-week 'cyber incident' impacted resident data

Security experts insist ransomware is involved but Leicester zips its lips

LockBit ransomware kingpin gets 4 years behind bars

Canadian-Russian said to have turned to a life of cybercrime during pandemic, now must pay the price – literally

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

Time to examine the anatomy of the British Library ransomware nightmare

Mistakes years in the making tell a universal story that must not be ignored

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers

War of words wages on between vendors divided

Possible China link to Change Healthcare ransomware attack

Alleged crim bought SmartScreen Killer, Cobalt Strike on dark-web markets

British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild

Five months in and the mammoth post-ransomware recovery has barely begun