An analysis of the PurpleUrchin campaign.
N2K logoJan 5, 2023

Unit 42 researchers break down Automated Libra’s PurpleUrchin freejacking campaign.

An analysis of the PurpleUrchin campaign.

Researchers from Palo Alto Networks’ Unit 42 released a report this morning on threat actor group Automated Libra, the gang behind the PurpleUrchin freejacking campaign.

Automated Libra.

The group behind the campaign, Automated Libra, is based in South Africa and targets cloud platforms in what is known as “freejacking,” or, “the process of using free (or limited-time) cloud resources to perform cryptomining operations,” as Unit 42 researchers define this variant of cryptojacking.

The meat and potatoes of a cryptojacking campaign.

The PurpleUrchin campaign was first discovered in October of last year. The group was seen using “​​Play and Run” tactics, defined by the researchers as “using cloud resources and not paying the cloud platform vendor’s resource bill.” The actors created and used fake accounts with falsified or stolen credit cards, which held unpaid balances. Operations were seen peaking in November, with three to five GitHub accounts being created every minute. More than 250 GB of container data was analyzed by the researchers, and it was found that the group heavily leveraged DevOps automation techniques such as continuous integration and continuous development (CI/CD).

The victims of freejacking.

Heroku, Togglebox, and GitHub were observed to be cloud service platforms utilized by the actors, but data traced threat actor activity back to August of 2019, which showed activity spread amongst a multitude of cloud providers and crypto exchanges.

Added, 2:15 PM, on January 5th, 2023.

Crane Hassold, Director of Threat Intelligence at Abnormal Security, commented on a lesson to be drawn from PurpleUrchin: cloud credentials are valuable to criminals. “While the tactics described in the report rely on creating a large number of fake accounts and exploiting free trials," he wrote, "the same techniques could be used to leverage resources in an organization's compromised cloud environment to accomplish the same goals. This is one of the reasons cloud credentials are so valuable in today’s underground cybercrime economy; they can be exploited in dozens of different ways.”