Tag Archive for: Gitpaste12

Gitpaste-12 worm botnet returns with 30+ vulnerability exploits

/in


gitpaste-12

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.

The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.

This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Targets Linux, Android tools, and IoT devices

Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.

Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Initially, the researchers observed the new GitHub repository containing just 3 files.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.

Now-removed GitHub repository sptv001 hosting gitpaste-12 second version
Now-removed GitHub repository that had been hosting Gitpaste-12 second iteration
Source: Juniper

Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.

These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.

The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:

41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkxus

In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.

The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.

gitpaste-12 second version workflow
Gitpaste-12 second version workflow

Carries 31 vulnerability exploits: 24 unique ones

The newer version of Gitpaste-12 has…

Source…

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

/in


linux botnet malware

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.

Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called “Gitpaste-12,” which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.

The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (“ls”), a file with a list of passwords for brute-force attempts (“pass”), and a local privilege escalation exploit for x86_64 Linux systems.

The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.

“The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” Juniper researcher Asher Langton noted in a Monday analysis.

Included in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.

It’s worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.

Aside from installing X10-unix and the Monero crypto mining…

Source…

Gitpaste-12: A dozen exploits that silently lived on GitHub, attacked Linux servers

/in


Just months after Octopus Scanner was caught infecting 26 open-source projects on GitHub, new reports have already surfaced of another, new sophisticated malware infection. Gitpaste-12, a worming botnet, is extremely versatile in its advanced capabilities and the fact it leverages trustworthy sites like GitHub and Pastebin to host itself.

The name Gitpaste-12 stems from the 12 known vulnerability exploits within the worm, much like a “swiss-army knife.” Two of these exploits target 2 popular open source components, Apache Struts and mongoDB.

Remained undetected on GitHub for over 3 months

By hosting its malicious payload on sites like GitHub and Pastebin, the Command and Control (C2) infrastructure now becomes incredibly hard to block using simple IOC-blocks at enterprises, because there are legitimate use-cases of these websites.

In fact, Gitpaste-12 has been silently sitting on GitHub since July 2020.

Gitpaste1

It wasn’t until Juniper Threat Labs spotted the botnet on October 15th, and had GitHub shut it down roughly two weeks later.

“The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software,” said Juniper Threat Labs researchers Alex Burt and Trevor Pott.

Gitpaste2

The worm provides attackers reverse shells. The researchers observed some infected systems using TCP ports 30004 and 30005 open to listen for shell commands.

Furthermore, Gitpaste-12 is loaded with a Monero cryptocurrency miner with additional code to hide it from process monitors, a Telnet-based script to breach Linux servers, and IoT devices via brute force, a cronjob that paves way for the worm to gain persistence, and so on.

“The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try (Read more…)

Source…