Details
-
Suggestion
-
Resolution: Won't Fix
Description
The following bucket is used to host and distribute malware.
https://bitbucket.org/trustedrootdev/file/downloads/
All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.
// Byte array of a raw file. let data_in = readFromFile('downloaded_file_path'); // Byte array holding the unscrambled file. let data_out = Array(data_in.length); for(let i = 0 ; i < data_in.length ; i++) { data_out[i] = data_in[data_in.length - i - i]; } writeToFile('/path/to/malware.dll', data_out);
Entry point executable found in the wild:
https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/
Scrambled file downloaded by mentioned executable in the reported bucket:
https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/
Unscrambled actual malicious payload:
https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/
All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.
Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
https://jira.atlassian.com/browse/BCLOUD-8658
Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://www.bitdefender.com/blog/labs/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/
Please remove the reported malicious bucket and implement a official channel of reporting abuse.
Attachments
Issue Links
- is related to
-
BCLOUD-8658 Private Abuse Report Form (BB-9789)
- Closed