Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-21564

Malware Abuse

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      The following bucket is used to host and distribute malware.

      https://bitbucket.org/trustedrootdev/file/downloads/

      All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.

      // Byte array of a raw file.
let data_in = readFromFile('downloaded_file_path');

// Byte array holding the unscrambled file.
let data_out = Array(data_in.length);

for(let i = 0 ; i < data_in.length ; i++)
{
  data_out[i] = data_in[data_in.length - i - i];
}

writeToFile('/path/to/malware.dll', data_out);

      Entry point executable found in the wild:
      https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/

      Scrambled file downloaded by mentioned executable in the reported bucket:
      https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/

      Unscrambled actual malicious payload:
      https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/

      All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.

      Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
      https://jira.atlassian.com/browse/BCLOUD-8658

      Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
      https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
      https://www.bitdefender.com/blog/labs/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/

      Please remove the reported malicious bucket and implement a official channel of reporting abuse.

      Attachments

        Issue Links

          is related to

          Suggestion - BCLOUD-8658 Private Abuse Report Form (BB-9789)

          • Closed

          Activity

            People

              Unassigned Unassigned
              ad9b56a27f1a Lilavaz atheropids
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: