Hackers bypass CAPTCHA to create 20K GitHub accounts per month

South African threats known as “Automated Libra” have been using cloud platforms to mine cryptocurrency.

Palo Alto Networks Unit42 says that the threat actors employ a new CAPTCHA solution system and a more aggressive mining strategy. They also mix ‘freejacking with the “Play and Run” technique in order to exploit free cloud resources.

Analysts at Sysdig discovered ‘Automated Libra” in . They called the malign cluster of activity “PurpleUrchin”, believing that the group was dedicated to freejacking.

Unit 42 has delved further into the operation by analysing over 250GB of data collected and discovering more about the infrastructure, history and techniques used to attack this threat actor.

Automated Librarian Overview

To set up new accounts and to run container-based cryptocurrency miners, the threat actor uses continuous integration and deployment service providers (CI/CD), such as GitHub and

Sysdig had identified 3200 accounts that were maliciously created by ‘PurpleUrchin’, but Unit 42 reports now that this threat actor has used more than 130,000 of these accounts since August 2019, the date when first evidences can be tracked.

Unit 42 also discovered that the threat actor did not use containersized components for mining, but for trading the mined cryptocurrency on various trading platforms including ExchangeMarket and crex24. Luno is another example.

The latest play and run tactics

Sysdig discovered that threat actors were engaged in “freejacking”, which is trying to take advantage of any resources available to create free accounts. Sysdig also noticed significant profits by increasing its operations.

Unit 42 confirmed that PurpleUrchin is involved in freejacking, but also reported that PurpleUrchin is heavily linked to the Play and Run strategy.

Play and Run refers to threat actors who use paid resources for their profit. In this instance, it is cryptomining. They refuse to pay bills until they are frozen. They then abandon the threat actors and continue their lives.

PurpleUrchin typically uses credit card and PII data stolen to set up premium accounts on VPS platforms and CSP platforms. This makes it impossible for anyone to trace the account owners if they have unpaid debts.

The explains that the actor “also appeared to reserve full servers or cloud instances, and they occasionally used CSP services like AHPs.”

They did this to make it easier to host web servers needed to track and monitor large-scale mining operations.

These cases require that the threat actor uses as much CPU resource as they can before losing access.

Contrast this with the strategy used in freejacking campaigns where only a small portion of the server’s processor power is being used by the miner.

GitHub CAPTCHA solution

Automated Libra has a CAPTCHA-solving method that allows them to create multiple accounts on GitHub with minimal manual intervention.

Threat actors make use of ImageMagic’s conversion tool to convert CAPTCHA images to RGB. Then, they use ImageMagic’s identify tool to determine the Red channel skewness in each image.

CAPTCHA and conversion

(Unit 42)

Command to extract skewness value (top) and image ranking (bottom)

(Unit 42)

For ranking images in ascending order, the value generated by “identify” is used. The automated tool then uses the table to choose the top image on the list. This is often the correct one.

Automated Libra’s determination to improve operational efficiency through an increase in the number accounts they create per minute on GitHub is evident by this system.