PurpleUrchin Gang Embraces DevOps in Massive Cloud Malware Campaign

The Automated Libra group is deploying all components of its campaign in an automated manner via containers, stealing free trial resources for cryptomining, but the threat could get larger.

More information has become available on PurpleUrchin, a malicious campaign in which a threat group called Automated Libra is using DevOps and continuous integration/continuous deployment (CI/CD) practices to mine cryptocurrency on cloud platforms using free trial accounts.
The campaign began in August 2019 and has mainly targeted platforms such as GitHub, Heroku, and ToggleBox. Security vendor Sysdig first reported on the campaign last
October
. This week, Palo Alto Networks Unit 42 threat hunting team provided fresh insight on the campaign based on a recent analysis of the threat groups activities — and noted that while cryptomining is the game now, the infrastructure could be used to deliver much worse threats down the road.
Unit 42s research showed that Automated Libra has so far created some 180,000 free trial accounts on various cloud platforms — substantially more than Sysdig had initially reported — using an automated container-based approach for spinning them up. At its peak last November, Automated Libra was creating between three and five new accounts on GitHub every minute. Sysdig previously had estimated that the coin-mining activity via free trial accounts was
costing GitHub some $100,000 in lost revenue
per user account.
Unit 42s analysis
showed each individual component of PurpleUrchins cryptomining operation — from user account creation to coin-mining and trading — shipped within a container and deployed in a highly automated manner.
An initial container contains all the tools needed for automatic account creation. That container automatically creates new accounts on a targeted cloud providers platform, while also pulling down tools for creating additional containers with cryptomining components for each of the user accounts.
These additional containers house the individual and unique containerized components of the larger operation, says William Gamazo, principal threat researcher for Unit 42 at Palo Alto Networks. For example, they include containers specific to the accounts created for each targeted cloud provider, containers created for system administration (like panel displays for monitoring the mining operation), and containers created for coin-miners themselves.
The threat actors have implemented each component in the architecture as a container, Gamazo says. In some cases, the entire process starts with a single script, he notes. That script calls on a configuration file stored in DockerHub, GitHub, or BitBucket for its base operational guidelines, Gamazo tells Dark Reading.
From here, the process becomes highly dynamic and modular, with the creation of a user account that pulls down a container that will start the mass container generation process — essentially a single container that builds all of the additional containers required to perform the mining operation.
The container functionality for initial account creation on GitHub also includes a feature that allows Automated Libra to bypass
CAPTCHA images
using relatively straightforward image analysis techniques. The CAPTCHA bypass technique basically reuses publicly available tools, though in some cases the threat actors did perform some custom processing.
While we didn’t feel the actor was very sophisticated, they were very effective with this tactic, Gamazo notes.
Unit 42 researchers assessed that Automated Libra had adopted the DevOps and CI/CD approaches to optimize its ability to utilize the limited resources available to them under the free trial programs that many cloud vendors offer.
We have not directly witnessed other threat actors performing these types of containerized operations, Gamazo says. However, last year we saw DDoS attack implementations using containers as part of the deployment, he notes pointing to a pro-Ukrainian denial-of-service campaign that CrowdStrike reported on last May that involved
compromised Docker honeypots
.
To create user accounts for free trials, the threat actors likely used stolen or fake credit cards, Unit 42 said. In some cases, the attackers adopted what the security vendor described as a play and run approach where they used a cloud providers resources for a certain period of time but then disappeared without paying the bill for those services.
The largest unpaid balance that Unit 42 researchers were able to uncover during their research was just $190. But the unpaid balances in other fake accounts could have been much larger considering the scale and breadth of the PurpleUrchin cryptomining operation, they noted.
Cryptomining attacks — where a threat actor stealthily uses an organizations computing resources to mine for cryptocurrencies — have become
extremely common
in recent years. A study that Kaspersky conducted last year showed that threat actors mainly distribute malicious mining software via unpatched vulnerabilities. In 2022s third quarter, more than 15% of vulnerability exploits that Kaspersky analyzed involved cryptomining tools. In the same quarter, Kaspersky counted more than 150,000 new miner variants, or more than triple the number from 2021s third quarter.
Nathaniel Quist, manager of cloud threat intelligence at Unit 42, says that in the PurpleUrchin campaign, Automated Libra actors were using free or limited-use cloud services specifically for their CPU resources. But that doesnt mean that they couldn’t have used it for other purposes as well. The actors, for instance, could have used these resources to perform malicious operations targeting victim organizations such as scanning, brute-forcing accounts, or hosting malicious content.
If this happened, the victim would have been targeted by attacks originating from the trusted cloud service providers where the actors were creating these accounts, he notes.
The key takeaway for enterprise organizations is that threat actors will increasingly use containers for malicious infrastructure deployment in coming years. Trusted sources such as cloud providers, cloud storage services, and public services hosted on clouds will be leveraged for launching attacks and it will be prevalent and difficult to detect, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PurpleUrchin Gang Embraces DevOps in Massive Cloud Malware Campaign