Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Malware Abuse Using Bitbucket Snippets API

Lilavaz atheropids October 19, 2022

Hello Bitbucket Staff,

The following URL is used in a malware sample (word document) found in the wild and leads to malicious commands.

hxxps://bitbucket[.]org/!api/2.0/snippets/daddyjob/rEBeKk/eb2e3ae345c3222aa8cbc1fb29140f6e1a59eb66/files/blessed-bypass-1.txt

Entrypoint word document VB object segment leading to the URL (shortened using bit.ly):

https://www.virustotal.com/gui/file/2c8b7232a1e69f86d5871e45eeec535b6c8d55f0f24f03b0ad195c6f3e4c6b0c

 

Malicious MSHTA script dubbed as "blessed bypass" by the attacker:

https://www.virustotal.com/gui/file/01e5872685e618295048fa7c24dc07139103051d157f1a5590b2d437a39b5c30

Final payload bundle:

https://www.virustotal.com/gui/file/3523667d13f8e6dc4b02a1720508531d5834f321b95ec8e79a42340794ffab3a

 

Please check the malicious account (supposedly with username "daddyjob") and take proper action.

 

This post pops up here because Bitbucket still offers NO official way to report abuse.

Please report abuse incidents to abuse@atlassian.com according to staff members.

 

Best,
Anonymous

2 comments

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 19, 2022

Atlassian have asked us to forward any malicious email to them at abuse@atlassian.com

That includes emails about, or from, malicious code hosted on Bitbucket, and even if you've not had an email and are getting this malware through a different route, you can still report the repository / user / service to the same address.

They don't need you to explain much either - if it's an email, just forward it, no commentary needed.  If it's a malware report, they only really need to know what the repository is (but the detail you've given in your post here would be very useful to them, and probably help get it taken down more easily).

But, don't email this one, I've asked an Atlassian to take a look at your post, so they don't need another report via email.  This way it also feeds into the things Atlassian are looking at to improve their abuse handling systems.

Like Lilavaz atheropids likes this
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 19, 2022

Thanks for the report.  This repo has been taken down.  In the future you can email these directly to abuse@atlassian.com as well.  It is ok to report this here in Community as well, but we sometimes miss things here.

Andy

Like # people like this
Lilavaz atheropids October 19, 2022

Thank you! I've edited my post so future viewers (and also myself) will see the email address.

Like Nic Brough -Adaptavist- likes this

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events