All Threat Intelligence posts

Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

December 2, 2020
4
min read
Advisory Malware Intelligence
Malware  Gitpaste-12
Targets x86_Linux Servers/Linux ARM&MIPS (IoT)

[/vc_wp_text][vc_column_text]Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.

 As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135 Webadmin plugin for opendreambox
CVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638 Apache Struts
CVE-2020-10987 Tenda router
CVE-2014-8361 Miniigd SOAP service in Realtek SDK
CVE-2020-15893 UPnP in dlink routers
CVE-2013-5948 Asus routers
EDB-ID: 48225 Netlink GPON Router
EDB-ID: 40500 AVTECH IP Camera
CVE-2019-10758 MongoDB
CVE-2017-17215 Huawei router

Note: EBD-ID : Exploit Database ID

 

Malware Components

  • Miner module
  • Hide.so defense evasion module
  • Miner Config
  • Shell Script

 

Impact 

Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Disables security solutions without users’ consent, thus creating false sense of security.
  • Unauthorized resource consumption for crypto mining.  

 

Business Impact

  • Performance loss of servers and other assets due to excessive crypto-mining. 
  • Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
  • Cost of remediation to “clean” the infected systems.

 

Mitigation

  • Deployment of Host based Intrusion Detection and Prevention System (IDPS).
  • Strict firewall filtering.
  • Updated monitoring tools and Endpoint detection and response (EDR) solutions.
  • Effective traffic control and monitoring.
  • Effective resource usage monitoring.

 

Indicators of Compromise (IOCs)

URLs

 

Service Ports

  • 30004/TCP
  • 30005/TCP

 

Hashes (SHA-256)

  • Miner

E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9

  • Hide.so

Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b

  • Miner Config

Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1

  • Shell script

5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

Tags:
No items found.