Gitpaste-12 Worm Widens Set of Exploits in New Attacks

The Gitpaste-12 worm has returned in new attacks targeting web applications, IP cameras and routers, this time with an expanded set of exploits for initially compromising devices.

First discovered in a round of late-October attacks that targeted Linux-based servers and internet-of-things (IoT) devices, the botnet utilizes GitHub and Pastebin for housing malicious component code, has at least 12 different attack modules and includes a cryptominer that targets the Monero cryptocurrency.

Now, researchers have uncovered a new slew of attacks by the malware, starting on Nov. 10, which used a different GitHub repository to target web applications, IP cameras, routers and more. The campaign was shut down on Oct. 27 after the GitHub repository hosting the worm’s payloads was removed.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” said researchers with Juniper Threat Labs in a Tuesday analysis.

The first phase of the worm’s initial system compromise still leverages previously-disclosed vulnerabilities. However, a new sample discovered in Gitpaste-12’s initial attack repository shows that the worm has expanded the breadth of those attack vectors.

The sample, X10-unix, is a UPX-packed binary written in the Go programming language, compiled for x86_64 Linux systems. Researchers discovered that the binary harbored exploits for at least 31 known vulnerabilities – only seven of which were also seen in the previous Gitpaste-12 sample.

Many of these targeted vulnerabilities are new, with some being disclosed as recently as September. One flaw targeted is a remote command-execution glitch in vBulletin (CVE-2020-17496); while another flaw is in Tenda routers (CVE-2020-10987) allows remote attackers to execute arbitrary commands.

Gitpaste-12 now also attempts to compromise open Android Debug Bridge connections and existing malware backdoors, said researchers. Android Debug Bridge is a command-line tool that lets users communicate with a device.

Once a successful exploit has been executed, the malware installs Monero cryptomining software, installs the appropriate version of the worm and opens a backdoor to listen to ports 30004 and 30006. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, and auto-configuration servers.

On successful connection, the malware sample runs a script that uploads a base64-encoded native binary (“blu”). Researchers said the Blu binary probes the device’s Bluetooth hardware and installs a base64-encoded Android APK (“weixin.apk”).

The APK then uploads the device’s IP address to Pastebin and then downloads and installs an ARM CPU port of X10-unix.

“While it’s difficult to ascertain the breadth or effectiveness of this malware campaign, in part because Monero — unlike Bitcoin — does not have publicly traceable transactions, JTL can confirm over a hundred distinct hosts have been observed propagating the infection,” said researchers.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.