Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.
The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.
This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.
Targets Linux, Android tools, and IoT devices
Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.
Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.
Initially, the researchers observed the new GitHub repository containing just 3 files.
“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.
Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.
These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.
The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:
In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.
The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.
Carries 31 vulnerability exploits: 24 unique ones
The newer version of Gitpaste-12 has…