PURPLEURCHIN Campaign Detection: A New Crypto Mining Operation Massively Abuses GitHub Actions and Other Popular Free CI/CD Service Accounts  

[post-views]
October 28, 2022 · 3 min read
PURPLEURCHIN Campaign Detection: A New Crypto Mining Operation Massively Abuses GitHub Actions and Other Popular Free CI/CD Service Accounts  

With crypto mining attacks significantly increasing over the past couple of years, increasing awareness of cryptojacking is of paramount importance. Cybersecurity researchers have recently uncovered a massive cryptojacking campaign abusing free CI/CD service providers, with over 30 GitHub, 2,000 Heroku, and 900 Buddy accounts compromised. Dubbed PURPLEURCHIN, the malicious operation applies sophisticated obfuscation techniques and enhanced automation capabilities leveraging over 130 Docker Hub images and continuously switching between CI/CD service accounts on multiple platforms. 

Detect PURPLEURCHIN Cryptojacking Campaigns

With threat actors targeting multiple environments at once and continuously expanding their scope of attacks, the PURPLEURCHIN crypto mining campaign requires ultra-responsiveness from cyber defenders. SOC Prime Platform for collective cyber defense has published a curated Sigma rule to detect the malicious activity associated with a new PURPLEURCHIN crypto mining campaign. The dedicated Sigma rule written by our prolific Threat Bounty developer Emir Erdogan detects PURPLEURCHIN Docker Hub image execution after downloading GitHub repositories using a curl command.

The detection algorithm is compatible with 20+ SIEM, EDR, and XDR platforms and is aligned with MITRE ATT&CK® addressing two adversary tactics — Impact and Execution with the corresponding Resource Hijacking (T1496) and User Execution (T1204) techniques. 

Detection of PURPLEURCHIN Mining Operation on linux (via process_creation)

With the growing numbers of cryptojacking attacks across the globe, organizations are striving to adapt proactive cybersecurity strategies to timely identify and remediate the risks. Click the Explore Detections button to instantly reach Sigma rules for crypto mining malware detection along with CTI links, ATT&CK references, and other relevant cyber threat context.

Explore Detections

PURPLEURCHIN Attack Description

The Sysdig cybersecurity researchers have recently revealed a massive freejacking operation, in which adversaries are compromising free CI/CD service providers, including GitHub, Heroku, Buddy accounts to mine cryptocurrency. In this campaign named PURPLEURCHIN, attackers have leveraged more than a million free widely used CI/CD platforms, such as GitHub Actions, to perform the malicious operation. 

The fact that the PURPLEURCHIN attacks are capable of running crypto miners across multiple environments increases the risks for organizations that rely on the potentially impacted CI/CD service providers. 

According to the Sysdig research, free service accounts were exploited in the previous malicious campaigns with open-source software like Docker having been a target for crypto mining attacks. Still, in this latest PURPLEURCHIN campaign, the scope of attacks expanding to multiple platforms freejacked simultaneously along with the sophistication of adversary techniques requires immediate attention from cyber defenders. What makes the attack spread at such a scale is the use of automation capabilities enabling cybercriminals to continuously generate free accounts to proceed with the mining operation. 

After executing the initial PURPLEURCHIN Docker Hub image, it triggers GitHub action in multiple repositories using HTTP. Commonly, threat actors apply the XMRig crypto mining tool, the common CPU-bassed miner for deploying Monero, while adversaries in the novel PURPLEURCHIN attack use a CPU coin miner that gets called through Node.js. 

PURPLEURCHIN threat actors have been observed mining Tidecoin, as well as applying a variety of coin miners from the adversary arsenal. Moreover, attackers leverage their own Stratum mining protocol relay, which enables them to hide the crypto wallet address and evade detection.

Imagine the code you write can make a difference and help others to thwart emerging cyber attacks. Join the ranks of our Threat Bounty Program to hone your Sigma and ATT&CK skills and get paid for your own detection algorithms. Write your own detection code, share it with industry peers, and let the world know about your contribution. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts