Gitpaste-12 worm botnet returns with 30+ vulnerability exploits

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.

The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.

This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Targets Linux, Android tools, and IoT devices

Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.

Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Initially, the researchers observed the new GitHub repository containing just 3 files.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.

Now-removed GitHub repository sptv001 hosting gitpaste-12 second version
Now-removed GitHub repository that had been hosting Gitpaste-12 second iteration
Source: Juniper

Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.

These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.

The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:

41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkxus

In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.

The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.

gitpaste-12 second version workflow
Gitpaste-12 second version workflow

Carries 31 vulnerability exploits: 24 unique ones

The newer version of Gitpaste-12 has exploits for “at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” explains Langton.

The list of exploits, provided by the researchers includes:

Some of these vulnerability exploits concern popular open-source applications, such as JBoss Seam 2CutePHP, mongo-express, Pi-hole, and FuelCMS.

Whereas, well-known proprietary web applications like vBulletin are targeted by the worm. 

In addition to exploiting these vulnerabilities, the X10-unix worm bundled within Gitpaste-12 attacks the Android Debug Bridge (adb) application running on port 5555, to upload a malicious native binary (“blu”) and APK to Android devices.

The sophisticated APK, on installation, posts the IP address of the device to Pastebin, and further downloads malicious payload.

This iteration of Gitpaste-12, according to the researchers, has compromised at least 100 distinct hosts.

“While it’s difficult to ascertain the breadth or effectiveness of this malware campaign, in part because Monero — unlike Bitcoin — does not have publicly traceable transactions, [Juniper Threat Labs] can confirm over a hundred distinct hosts have been observed propagating the infection,” stated the researchers.

This evolved version of Gitpaste-12 surfaced not too long after the initial October release.

We are yet to find out if there would be even more advanced versions of this attack coming up in the near future.

The complete research findings and a list of Gitpaste-12 Indicators of Compromise (IOCs) can be found in Juniper Threat Labs’ blog post.