Unit 42 researchers examine Automated Libra, the cloud threat actor behind PurpleUrchin, which freejacks cloud resources to mine cryptocurrency. They reveal CI/CD automation, massive GitHub and cloud account creation, CAPTCHA exploitation, and a Play and Run tactic that leaves cloud vendors with unpaid bills. #PurpleUrchin #AutomatedLibra #PlayandRun #GitHub #Heroku
Keypoints
- The operation uses a Play and Run tactic, where malicious actors use cloud resources and refuse to pay the bill once it arrives.
- CI/CD automation and containerization drive rapid account creation and mining across cloud platforms.
- Researchers found more than 130,000 user accounts created across services like GitHub, Heroku, and Togglebox.
- The team bypassed CAPTCHA on GitHub using image-analysis techniques and standard ImageMagick tools.
- GitHub workflows and external Bash scripts were deployed via generated pipelines to manage mining operations.
- The infrastructure is spread across multiple cloud providers, employing a modular CI/CD architecture to scale and adapt.
MITRE Techniques
- [T1583] Acquire Infrastructure – Cloud Infrastructure – The actors procure and use cloud services (e.g., Heroku, Togglebox) to host mining operations. ‘Some of the cloud service providers that offer CAP and AHP services that were targeted by the PurpleUrchin actors include Heroku and Togglebox, among others.’
- [T1136] Create Account – GitHub Accounts – They automatically created GitHub accounts at a rapid rate to facilitate automation. ‘automatically created GitHub accounts at an average rate of three to five accounts per minute.’
- [T1059] Command and Scripting Interpreter – Bash and PHP – The automation relies on shell and scripting languages to create accounts and manage tasks. ‘The actor used Bash scripts and a PHP script to read incoming IMAP messages.’
- [T1105] Ingress Tool Transfer – Public tools shipped inside containers to enable automation (Iron Browser, xdotool, ImageMagick). ‘The tools needed for the automatic account creation process were shipped as a container. In the latest version of the container, the actor combined several publicly available and legitimate tools to perform their operations, such as: Iron Browser, xdotool, ImageMagick.’
- [T1496] Resource Hijacking – Cryptomining and unpaid cloud usage – Play and Run described as using cloud resources and not paying. ‘Play and Run tactic involves malicious actors using cloud resources and refusing to pay for those resources once the bill arrives.’
- [T1036] Masquerading – Random naming and MD5-based identifiers – The naming conventions for repos/workflows used MD5 hashes to obscure identity. ‘random naming convention command’ and ‘based on MD5 hashes.’
Indicators of Compromise
- [Domain] linux84.distro.cloudns.cl – Domain used in the infrastructure; includes an SSL certificate noted in the research. linux84.distro.cloudns.cl
- [Domain] github.com – GitHub domain used for account creation and repository deployments (GitHub API workflows mentioned).
- [Domain] herokuapp.com – Domain associated with Heroku Cloud Application Platform (CAP) used by the actors.
Read more: https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/