Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

Published on December 1, 2020 | 10:39 PM IST

Share this Advisory:

Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.

As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135	Webadmin plugin for opendreambox
CVE-2020-24217	HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638	Apache Struts
CVE-2020-10987	Tenda router
CVE-2014-8361	Miniigd SOAP service in Realtek SDK
CVE-2020-15893	UPnP in dlink routers
CVE-2013-5948	Asus routers
EDB-ID: 48225	Netlink GPON Router
EDB-ID: 40500	AVTECH IP Camera
CVE-2019-10758	MongoDB
CVE-2017-17215	Huawei router

Note: EBD-ID : Exploit Database ID

Malware Components

Miner module
Hide.so defense evasion module
Miner Config
Shell Script

Impact

Technical Impact

Unauthorized access to filesystem and operating system functionalities.
Disables security solutions without users’ consent, thus creating false sense of security.
Unauthorized resource consumption for crypto mining.

Business Impact

Performance loss of servers and other assets due to excessive crypto-mining.
Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
Cost of remediation to “clean” the infected systems.