The newly discovered malware uses GitHub and Pastebin to house component code and harbors 12 different initial attack vectors. Researchers have uncovered a new worm targeting Linux-based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs). Of note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available – leading researchers to call it “Gitpaste-12.” It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.

The first phase of the attack is the initial system compromise. The malware’s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in Apache Struts (CVE-2017-5638), Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135), and Tenda routers (CVE-2020-10987).

The malware will attempt to use known exploits for these flaws to compromise systems and may also attempt to brute force passwords, said researchers. After compromising a system, the main shell script is then uploaded to the victim machine and starts to download and execute other components of Gitpaste-12.

The Malware Attack:

This script sets up a cron job it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script and executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.

It then downloads a script from GitHub and executes it. The script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities. These include stripping the system’s defenses, including firewall rules, SELinux, AppArmor, as well as common attack prevention and monitoring software. Gitpaste-12 also features commands allowing it to run a crypto miner that targets the Monero cryptocurrency.

It also prevents administrators from collecting information about running processes by intercepting ‘readdir’ system calls and skip directories for processes like tcpdump, Sudo, OpenSSL, etc. in ‘/proc’. “The ‘/proc’ directory in Linux contains information about running processes. It is used, for example, by the ‘ps’ command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do. Finally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads and executes Pastebin files that host further malicious code.

How It Spread:

In terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines to spread the malware. The malware chooses a random /8 CIDR for attack and will try all addresses within that range. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and for IP routing – meaning that the attack targets all IP addresses within the random CIDR’s range.

Another version of the script also opens ports 30004 and 30005 for reverse shell commands. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, and auto-configuration servers.

By hosting its malicious payload on sites like GitHub and Pastebin, the Command and Control infrastructure now becomes incredibly hard to block using simple IOC-blocks at enterprises, because there are legitimate use-cases of these websites. In fact, Gitpaste-12 has been silently sitting on GitHub since July 2020.

Remediation:

• IT admins should have robust security software, a good firewall, and keep all devices updated with the latest vulnerability patches.
• Users should follow security best practices and educate themselves on phishing scams.
• Devices infected with worms will show symptoms of erratic behaviour and slow response times
• Patch every EXIM installation you have in your organization and make sure that it is updated to the most recent version, 4.92 at the time of this writing.
• Look for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from existing backups.
• Delete the authorized key used for SSH backdoor access.
• Don’t install software from a malicious website that promises to crack the password or any such illegal promises.
• All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with a password or using keys/certificates.
• Use either OpenSSH, SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP to secure user names, passwords, FTP / telnet / rsh commands, and transferred files that can be captured by anyone on the same network using a packet sniffer.