Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin

[steven36]

A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code.

 

 

 

The advanced malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities, therefore the moniker.

 

 

Spreads via GitHub, attacks in 12 different ways

Gitpaste-12 was first detected by Juniper Threat Labs lurking on GitHub around October 15th.

 

However, commits reveal the malware has lived on GitHub since Jul 9th, 2020 until its shut down after Oct 27th, 2020.

 

The worm attempts to crack passwords via brute-force and exploits known vulnerabilities on the systems it infects.

 

11 of these vulnerabilities are as follows, with the 12th one stemming from a Telnet brute force application used to spread Gitpaste-12:

 

 

After the initial system compromise, Gitpaste-12 downloads a recursive script from a Pastebin URL which instructs the infected host to keep executing this very script every minute.

 

This is a way for the malware to keep updating itself from the Command and Control (C2) source which is merely a paste URL:

 

Gitpaste-12 initial payload on a pastebin URL which has since been removed Source: Juniper

 

Further, the malware downloads the main shell script from GitHub.

 

The URL where the shell script had lived has since been taken down: https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1

 

"The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software," state Juniper Threat Labs researchers Alex Burt and Trevor Pott.

 

Gitpaste-12 main shell script that begins attacking a host's defenses such as firewalls

 

n fact, some of the commands and hostnames present in the script reveal Gitpaste-12 is designed to attack cloud computing infrastructure provided by Alibaba Cloud and Tencent.

Additionally, the botnet is equipped with a Monero (XMR) cryptocurrency miner. 

 

But there's more: the worm spreads itself by targeting a list of randomly generated IP addresses within a subnet range. 

 

"The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range," state Juniper's researchers.

Gitpaste-12 has a low detection rate

Considering the recency of its discovery, some files associated with the Gitpaste-12 botnet have quite a low detection rate.

 

At the time of writing, BleepingComputer observed the hide.so payload which aids Gitpaste-12 in evading detection was itself undetectable by over 93% antivirus engines.

 

 

Similarly, the crypto miner configuration file and the shell script has not yet been flagged by any antivirus engine listed on VirusTotal, as observed by BleepingComputer:

 

Some files have a zero detection rate thus far Source: VirusTotal

 

Juniper's report on a sophisticated malware present on GitHub follows shortly after Octopus Scanner had been discovered infiltrating over 26 open-source GitHub projects.

And attacks leveraging the open-source ecosystem are only expected to grow further, given their ongoing development.

 

"There is evidence of test code for possible future modules, indicating ongoing development for this malware. For now, however, targets are Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices," stated the report released by Juniper Threat Labs. 

 

The researchers noted some compromised systems had TCP ports 30004 and 30005 open for receiving commands via reverse shells.

 

Gitpaste-12 Indicators of Compromise (IOCs) as provided below, and Juniper's detailed research can be found in their report. 

 

Miner:	e67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9
hide.so:	ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b
Miner config:	bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1
Shell script:	5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

 

This malware has been dubbed Gitpaste-12 because of the usage of GitHub, Pastebin and 12 ways to compromise the system. The first GitPaste-12 first attacks were detected by Juniper Threat Labs on October 15, 2020. We’ve reported both the Pastebin URL and the git repo in question and the git repo was closed on October 30, 2020. This should stop the proliferation of this botnet.

Source