Gitpaste-12 worm botnet returns with 30+ vulnerability exploits

/in


gitpaste-12

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.

The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.

This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Targets Linux, Android tools, and IoT devices

Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.

Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Initially, the researchers observed the new GitHub repository containing just 3 files.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.

Now-removed GitHub repository sptv001 hosting gitpaste-12 second version
Now-removed GitHub repository that had been hosting Gitpaste-12 second iteration
Source: Juniper

Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.

These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.

The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:

41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkxus

In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.

The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.

gitpaste-12 second version workflow
Gitpaste-12 second version workflow

Carries 31 vulnerability exploits: 24 unique ones

The newer version of Gitpaste-12 has…

Source…