Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining which is now targeting Multiple Known Vulnerabilities.

Updated on

April 19, 2023

Published on

December 1, 2020

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Advisory	Malware Intelligence
Malware	Gitpaste-12
Targets	x86_Linux Servers/Linux ARM&MIPS (IoT)

[/vc_wp_text][vc_column_text]Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims. As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135	Webadmin plugin for opendreambox
CVE-2020-24217	HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638	Apache Struts
CVE-2020-10987	Tenda router
CVE-2014-8361	Miniigd SOAP service in Realtek SDK
CVE-2020-15893	UPnP in dlink routers
CVE-2013-5948	Asus routers
EDB-ID: 48225	Netlink GPON Router
EDB-ID: 40500	AVTECH IP Camera
CVE-2019-10758	MongoDB
CVE-2017-17215	Huawei router

Note: EBD-ID : Exploit Database ID

Malware Components

Miner module
Hide.so defense evasion module
Miner Config
Shell Script

Impact

Technical Impact

Unauthorized access to filesystem and operating system functionalities.
Disables security solutions without users’ consent, thus creating false sense of security.
Unauthorized resource consumption for crypto mining.

Business Impact

Performance loss of servers and other assets due to excessive crypto-mining.
Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
Cost of remediation to “clean” the infected systems.

Mitigation

Deployment of Host based Intrusion Detection and Prevention System (IDPS).
Strict firewall filtering.
Updated monitoring tools and Endpoint detection and response (EDR) solutions.
Effective traffic control and monitoring.
Effective resource usage monitoring.

Indicators of Compromise (IOCs)

URLs

Service Ports

30004/TCP
30005/TCP

Hashes (SHA-256)

Miner

E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9

Hide.so

Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b

Miner Config

Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1

Shell script

5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more