Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

Published on December 1, 2020 | 10:39 PM IST

Share this Advisory:

Advisory Malware Intelligence
Malware  Gitpaste-12
Targets x86_Linux Servers/Linux ARM&MIPS (IoT)

Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.

 As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135 Webadmin plugin for opendreambox
CVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638 Apache Struts
CVE-2020-10987 Tenda router
CVE-2014-8361 Miniigd SOAP service in Realtek SDK
CVE-2020-15893 UPnP in dlink routers
CVE-2013-5948 Asus routers
EDB-ID: 48225 Netlink GPON Router
EDB-ID: 40500 AVTECH IP Camera
CVE-2019-10758 MongoDB
CVE-2017-17215 Huawei router

Note: EBD-ID : Exploit Database ID

 

Malware Components

  • Miner module
  • Hide.so defense evasion module
  • Miner Config
  • Shell Script

 

Impact 

Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Disables security solutions without users’ consent, thus creating false sense of security.
  • Unauthorized resource consumption for crypto mining.  

 

Business Impact

  • Performance loss of servers and other assets due to excessive crypto-mining. 
  • Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
  • Cost of remediation to “clean” the infected systems.

 

Mitigation

  • Deployment of Host based Intrusion Detection and Prevention System (IDPS).
  • Strict firewall filtering.
  • Updated monitoring tools and Endpoint detection and response (EDR) solutions.
  • Effective traffic control and monitoring.
  • Effective resource usage monitoring.

 

Indicators of Compromise (IOCs)

URLs

 

Service Ports

  • 30004/TCP
  • 30005/TCP

 

Hashes (SHA-256)

  • Miner

E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9

  • Hide.so

Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b

  • Miner Config

Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1

  • Shell script

5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.