Sophisticated Worming Botnet Remained Hidden on GitHub for Months

• A new malware named “Gitpaste-12” was discovered on GitHub three months after its settlement.
• The botnet can exploit 11 known and patched vulnerabilities and use a telnet brute-forcer to spread.
• The malware was removed from GitHub, but it’s definitely going to return, and possibly even stronger.

A worming botnet called “Gitpaste-12” was found lurking on hosting service GitHub and leveraging Pastebin, somehow managing to pass undetected while at the same time attacking a large number of Linux servers. The name is a portmanteau of the two legit platforms that are abused, while the number “12” stands to denote the number of vulnerabilities exploited by the malware (11 plus the telnet).

For a worm of this kind, 12 exploits are more than enough to move around with versatility.

The discovery of the malware eventually came by researchers of the Juniper Networks, back on October 15, 2020, and by that time, Gitpaste-12 had spent three months there. GitHub needed another two weeks before they eventually responded by uprooting the malware from the reported git repository, momentarily stopping the spread of the botnet.

Targeting Linux servers means dealing with sophisticated security tools like SELinux and AppArmor, but Gitpaste-12 ensures that all of these solutions are disabled and firewall rules are deleted before it makes another step in the compromised system. Then, the attacker uses a reverse shell on TCP ports 30004 and 30005.

The worm comes with a Monero miner that is specifically customized to stay hidden from process monitors. Additionally, the worm sets a cronjob for persistence and can find and break into more IoT devices on the network through credentials brute-forcing.

While the first wave of attacks has now been dealt with, Gitpaste-12 isn’t expected to pass in history just yet. Its sophisticated and capable authors will find another way to distribute the bot, and possibly, will evolve/improve the detection-evading code and bring it back on a new git repository. Moreover, Gitpaste-12 might not stay on Linux servers and IoTs forever, even though its current exploit set focuses on them.

Related: New “Mirai” Variant Is Exploiting Tenda Router Zero-Days

The list of the flaws that are actively exploited by Gitpaste-12 is given below:

• CVE-2017-14135 – Webadmin plugin for opendreambox
• CVE-2020-24217 – HiSilicon based IPTV/H.264/H.265 video encoders
• CVE-2017-5638 – Apache Struts
• CVE-2020-10987 – Tenda router
• CVE-2014-8361 – Miniigd SOAP service in Realtek SDK
• CVE-2020-15893 – UPnP in DLink routers
• CVE-2013-5948 – Asus routers
• EDB-ID: 48225 - Netlink GPON Router
• EDB-ID: 40500 – AVTECH IP Camera
• CVE-2019-10758 – Mongo DB
• CVE-2017-17215 – Huawei routers

The best way to deal with this threat would be to apply IoT firmware and software updates. Botnets are rarely using zero-days for propagation, so applying the available updates quickly is a very effective method of protection against them.