Gitpaste-12: A dozen exploits that silently lived on GitHub, attacked Linux servers

Just months after Octopus Scanner was caught infecting 26 open-source projects on GitHub, new reports have already surfaced of another, new sophisticated malware infection. Gitpaste-12, a worming botnet, is extremely versatile in its advanced capabilities and the fact it leverages trustworthy sites like GitHub and Pastebin to host itself.

The name Gitpaste-12 stems from the 12 known vulnerability exploits within the worm, much like a “swiss-army knife.” Two of these exploits target 2 popular open source components, Apache Struts and mongoDB.

Remained undetected on GitHub for over 3 months

By hosting its malicious payload on sites like GitHub and Pastebin, the Command and Control (C2) infrastructure now becomes incredibly hard to block using simple IOC-blocks at enterprises, because there are legitimate use-cases of these websites.

In fact, Gitpaste-12 has been silently sitting on GitHub since July 2020.

It wasn’t until Juniper Threat Labs spotted the botnet on October 15th, and had GitHub shut it down roughly two weeks later.

“The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software,” said Juniper Threat Labs researchers Alex Burt and Trevor Pott.

Gitpaste2

The worm provides attackers reverse shells. The researchers observed some infected systems using TCP ports 30004 and 30005 open to listen for shell commands.

Furthermore, Gitpaste-12 is loaded with a Monero cryptocurrency miner with additional code to hide it from process monitors, a Telnet-based script to breach Linux servers, and IoT devices via brute force, a cronjob that paves way for the worm to gain persistence, and so on.

“The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try (Read more…)