Last month, researchers from Juniper Threat Labs described a new worm and botnet dubbed Gitpaste-12 due to the use of GitHub and Pastebin to host component code. While initially the worm utilized exploits for nearly a dozen known flaws to compromise victims, in a new version of the malware the list of vulnerabilities has been expanded to include over 30 exploits.
The initial wave of Gitpaste-12 attacks was last seen on October 27, but on November 10 the Juniper Threat Labs team detected a second round of attacks involving Gitpaste-12 using payloads from different GitHub repository, which, among others, contains a Linux crypto-miner ("ls"), and a file with a list of passwords for brute-force attempts ("pass").
The infection begins with a UPX-packed binary called X10-unix, which is written in the Go programming language, and compiled for x86_64 Linux systems.
“The ‘b64’ suffix indicates a file that has been base-64 encoded into an ASCII text file for use as an exploit payload. We can see that X10-unix is cross-platform, with versions for MIPS and ARM Linux machines, as well as Windows,” the report said. “The worm then commences a wide-ranging series of attacks comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors.”
The list of exploits includes remote execution flaws in F5 BIG-IP products (CVE-2020-5902), Tenda AC15 AC1900 (CVE-2020-10987), vBulletin (CVE-2020-17496), as well as Huawei HG532 router (CVE-2017-17215) and Realtek SDK (CVE-2014-8361) among others.
In addition to installing X10-unix and the Monero crypto mining software on the machine, the malware also opens a backdoor listening on ports 30004 and 30006, uploads the victim's external IP address to a private Pastebin paste, and attempts to connect to Android Debug Bridge connections on port 5555.
“While it’s difficult to ascertain the breadth or effectiveness of this malware campaign, in part because Monero — unlike Bitcoin — does not have publicly traceable transactions, JTL can confirm over a hundred distinct hosts have been observed propagating the infection,” the research team said.