| Advisory |
Malware Intelligence |
| Malware |
Gitpaste-12 |
| Targets |
x86_Linux Servers/Linux ARM&MIPS (IoT) |
[/vc_wp_text][vc_column_text]
Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.
As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.
Known vulnerabilities targeted by the malware
| CVE-2017-14135 |
Webadmin plugin for opendreambox |
| CVE-2020-24217 |
HiSilicon based IPTV/H.264/H.265 video encoder |
| CVE-2017-5638 |
Apache Struts |
| CVE-2020-10987 |
Tenda router |
| CVE-2014-8361 |
Miniigd SOAP service in Realtek SDK |
| CVE-2020-15893 |
UPnP in dlink routers |
| CVE-2013-5948 |
Asus routers |
| EDB-ID: 48225 |
Netlink GPON Router |
| EDB-ID: 40500 |
AVTECH IP Camera |
| CVE-2019-10758 |
MongoDB |
| CVE-2017-17215 |
Huawei router |
Note: EBD-ID : Exploit Database ID
Malware Components
- Miner module
- Hide.so defense evasion module
- Miner Config
- Shell Script
Impact
Technical Impact
- Unauthorized access to filesystem and operating system functionalities.
- Disables security solutions without users’ consent, thus creating false sense of security.
- Unauthorized resource consumption for crypto mining.
Business Impact
- Performance loss of servers and other assets due to excessive crypto-mining.
- Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
- Cost of remediation to “clean” the infected systems.
Mitigation
- Deployment of Host based Intrusion Detection and Prevention System (IDPS).
- Strict firewall filtering.
- Updated monitoring tools and Endpoint detection and response (EDR) solutions.
- Effective traffic control and monitoring.
- Effective resource usage monitoring.
Indicators of Compromise (IOCs)
URLs
Service Ports
Hashes (SHA-256)
E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9
Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b
Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1
5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3 
