Report Malware Abuse

I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing.

The following bucket is used to host and distribute malware.

https://bitbucket.org/trustedrootdev/file/downloads/

All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.

// Byte array of a raw file.let data_in = readFromFile('downloaded_file_path');

// Byte array holding the unscrambled file.let data_out = Array(data_in.length);

for(let i = 0 ; i < data_in.length ; i++)
{
  data_out[i] = data_in[data_in.length - i - i];
}

writeToFile('/path/to/malware.dll', data_out);

Entry point executable found in the wild:
https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/

Scrambled file downloaded by mentioned executable in the reported bucket:
https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/

Unscrambled actual malicious payload:
https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/

All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.

Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
https://jira.atlassian.com/browse/BCLOUD-8658

Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

5 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes

Answer accepted

Hi @Lilavaz atheropids

Thanks for reporting this repo. My apologies for the difficulties is making such a report to us. Your original post was incorrectly flagged as spam by our automated content moderation system.

In the future, you can report such sites either to our support team, in which case https://support.atlassian.com/contact is the page we suggest. Admittedly though, if you do not have a paid support contract with us, going to that page will automatically redirect you here to Community. You can post these requests here to Community if you like.

Alternatively, anyone can also reach out to abuse@atlassian.com with details of any Atlassian site that is violating our terms of service, so that our anti-abuse team can investigate further.

I am happy to report that this site has been taken down.

Thanks again for letting us know.

Andy

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thank you for resolving the issue. Also thank you for mentioning about the contact email that I can contact with in the future.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

2 votes

Hi everyone,

I thought I would let you all know that I have created a documentation page specifically for this topic - you can view this at the below link:
https://confluence.atlassian.com/bbkb/report-malware-hosted-on-bitbucket-cloud-1167844183.html

Cheers!

- Ben (Bitbucket Cloud Support)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

1 vote

Hi @Lilavaz atheropids,

Thank you for your report. I have created a ticket with Bitbucket Cloud support team to look into this, you should have received an email with a link to the support ticket.

Your previous posts were removed automatically due to our spam filters, I'll bring up this issue to my team.

Kind regards,
Theodora

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hmm, ok, so

"I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing."

I note that your previous reports are being removed because they look malicious. It's nothing to do with the staff.

And also, this isn't correct: "Also, the issue is reported here as your company provides absolutely no way to notify you. "

As noted in the issue you've referred to

See https://www.atlassian.com/trust/security

See https://jira.atlassian.com for the tracking of problems raised

You can report anything to Atlassian via https://support.atlassian.com/contact as well and have been able to do so (as noted in the trust and security docs) for several years. Atlassian doesn't just use jira.atlassian.com for their tracking, this route tries to guide your question/report/request to the right place by asking you some questions. Sometimes it will land you in "create issue" in Jira.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Wow, good catch.

Do you know how to handle github like this activities?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Was this helpful?

Thanks!

Bitbucket

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Report Malware Abuse