A recently discovered botnet called Gitpaste-12 has returned to target web applications, IP cameras, and routers. Read on to know more…
A recently discovered botnet called Gitpaste-12 has returned with a new assault targeting web applications, IP cameras, and routers. Gitpaste-12 was first discovered by Juniper Threat Labs in October. The malware derives its name from GitHub, and Pastebin – which are used for propagation – and 12 different exploits for previously-known vulnerabilities. This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.
The flaws are related to Apache Struts, Asus routers, Webadmin plugin for opendreambox, and Tendo routers. The Gitpaste-12 botnet also features commands allowing it to run a cryptominer that targets the Monero cryptocurrency. Moreover, the worming capabilities of Gitpaste-12 enable the botnet to replicate and spread silently across systems.
Latest Updates
Soon after its discovery, the Juniper researchers detected a new round of attacks from the botnet in the first half of November. These attacks were targeted at web applications, IP cameras, routers, and more. This was accomplished using a new version of Gitpaste-12 that includes exploits for at least 31 vulnerabilities, out of which 12 are borrowed from the previous version.
The new sample, called X10-unix, is a UPS-packed binary written in Go language and compiled for x86_64 Linux systems. Among its other capabilities, the malware also attempts to compromise open Android Debug Bridge connections and existing malware backdoors.
Chosen Targets
Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository. Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.
“The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” Juniper researcher Asher Langton noted in a Monday analysis.
Initially, the researchers observed the new GitHub repository containing just 3 files. “The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.
Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research. These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit. The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:
Bottom Line
No malware is good, but botnets blended with worm capabilities are particularly annoying because of their ability to spread in an automated fashion. That can lead to lateral spread within an organization, ultimately affecting other networks across the internet and impacting the reputation of organizations.