A large-scale, automated “freejacking” effort is using free GitHub, Heroku, and Buddy services to mine cryptocurrencies at the cost of the provider. The operation focuses on using the little resources provided by free cloud accounts to make a modest profit from each free account, which, when added together, amounts to something more substantial.
The threat actor behind the campaign, known as “Purpleurchin,” was seen using CI/CD service providers, including GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts) to make over a million function calls every day. Rotating and channeling the use of those accounts across 130 Docker Hub images with mining containers has kept Purpleurchin undetectable up until this point.
According to a new report by Sysdig researchers, a linuxapp container named “linuxapp8474447444744474” serves as the command and control server (C2) and Stratum server for the operation, coordinating all active mining agents and directing them to the threat actor’s mining pool. The automated creation of GitHub accounts, the construction of a repository, and the workflow replication using GitHub operations are done using the shell script “userlinux8888”. All GitHub operations are disguised by employing names that are generated at random.
To avoid GitHub’s bot activity detection, Purpleurchin registers each account with a separate IP address using Namecheap VPN and OpenVPN. Using pre-set parameters for the script to run, proxy IP and port to connect to, Stratum ID name, and maximum memory and CPU amounts to employ, the GitHub operations launch around 30 instances of Docker images on each run. Once the setup on the Stratum server has been verified, a different script called “linuxwebapp88” will take over, receive the Docker command from the GitHub repository, and launch the miner container.
The miner secretly mines several digital currencies like Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb, using a small portion of the server’s CPU power. The mining process uses a unique Stratum mining protocol relay, making it difficult for network scanners to find the connections leading out to mining pools. The crypto wallet address of the threat actor is likewise hidden by this relay, leaving analysts at Sysdig puzzled about Purpleurchin’s earnings.
Sysdig estimates the operation is either in an early experimental phase or trying to seize control of blockchains by establishing a network control majority of 51% because the threat actors’ chosen coin is only slightly lucrative. If the first scenario is right, the threat actor may quickly migrate to more lucrative currencies like Monero or Bitcoin. In any instance, Purpleurchin’s objective must be financial gain. Yet, the current freejacking operation may not be the best way to get there.
However, the harm to GitHub is still substantial and quantifiable; according to experts at Sysdig, it costs $15 per month for each account. For each account, the price for Heroku and Buddy is $7 to $10 per month. These estimates show that the service provider would have to spend more than $100,000 for the threat actor to mine only one Monero (XMR) via freejacking. That’s nearly ten times more costly than the average cryptojacking operation’s estimated $11,000 per Monero in losses.