Security researchers recently uncovered Gitpaste-12, a new worm using GitHub and Pastebin for keeping component code. The new malware has 12 different attack modules available, says security firm Juniper.
Gitpaste-12 Worm targeting Linux-based x86 servers
The Gitpaste-12 worm became evident to the researchers in October, with new attacks registered in November. The initial attacks were targeting Linux-based x86 servers, as well as Linux ARM and MIPS based IoT devices.
The researchers dubbed the malware Gitpaste-12 because it uses GitHub, Pastebin, and 12 methods to compromise a targeted system. The researchers reported both the Pastebin URL and the git repository used in the attacks after their discovery. The git repo was subsequently closed on October 30, 2020.
The second wave of attacks started on November 10, and Juniper says it was using payloads from another GitHub repo. The repo contained a Linux crypto mining malwarе, a file with passwords for brute-force attacks, and a local privilege escalation exploit for x86_64 systems.
The initial infection occurs via X10-Unix, a binary written in Go programming language, that downloads the next-stage payloads from GitHub.
What type of devices does Gitpaste-12 target?
Web applications, IP cameras, and routers are the primary targets of the worm in “a wide-ranging series of attacks.” The attacks are using at least 31 known vulnerabilities, seven of which were seen in the previous malware sample. The worm also attempts to compromise Android Debug Bridge connections, and existing malware backdoors, says Juniper researcher Asher Langton.
It is noteworthy that most of the exploits the worm uses are new, with public disclosures and proof-of-concept codes dated as recently as September. The recent instances of Gitpaste-12 are trying to accomplish these three steps:
1. Install Monero cryptomining software.
2. Install the appropriate version of the X10-unix worm.
3. Open a backdoor listening on ports 30004 and 30006 and upload the victim’s IP address to a private Pastebin paste.
A list of all the exploits abused in the attacks and further technical details are available in Juniper’s report.
In October, security researchers discovered another previously unknown malware called Ttint, categorized as an IoT-specific Trojan. The attackers were using two zero-day vulnerabilities to compromise targeted devices, CVE-2018-14558 and CVE-2020-10987. From the captured samples, it appears that the malware was based on Mirai code.