New Report
Global Cyber Threat Landscape Q2 2021 | Download now
Global Cyber Threat Landscape 2021 Quarter 2 report available.
Download now
Schedule a demo

Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

Summary

Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining which is now targeting Multiple Known Vulnerabilities.
Advisory Malware Intelligence
Malware  Gitpaste-12
Targets x86_Linux Servers/Linux ARM&MIPS (IoT)
[/vc_wp_text][vc_column_text]Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.  As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135 Webadmin plugin for opendreambox
CVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638 Apache Struts
CVE-2020-10987 Tenda router
CVE-2014-8361 Miniigd SOAP service in Realtek SDK
CVE-2020-15893 UPnP in dlink routers
CVE-2013-5948 Asus routers
EDB-ID: 48225 Netlink GPON Router
EDB-ID: 40500 AVTECH IP Camera
CVE-2019-10758 MongoDB
CVE-2017-17215 Huawei router
Note: EBD-ID : Exploit Database ID  

Malware Components

  • Miner module
  • Hide.so defense evasion module
  • Miner Config
  • Shell Script
 

Impact 

Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Disables security solutions without users’ consent, thus creating false sense of security.
  • Unauthorized resource consumption for crypto mining.  
 

Business Impact

  • Performance loss of servers and other assets due to excessive crypto-mining. 
  • Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
  • Cost of remediation to “clean” the infected systems.
 

Mitigation

  • Deployment of Host based Intrusion Detection and Prevention System (IDPS).
  • Strict firewall filtering.
  • Updated monitoring tools and Endpoint detection and response (EDR) solutions.
  • Effective traffic control and monitoring.
  • Effective resource usage monitoring.
 

Indicators of Compromise (IOCs)

URLs   Service Ports
  • 30004/TCP
  • 30005/TCP
  Hashes (SHA-256)
  • Miner
E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9
  • Hide.so
Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b
  • Miner Config
Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1
  • Shell script
5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now